XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, stopthehacker.com

Report generated by XSS.CX at Thu Sep 15 18:51:24 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Profile: stopthehacker.com
Funded by NSF Grant 0956747 and 0839491
Total Funds Granted: US$ 588,242.00
Award Abstract #0956747 SBIR Phase II: Making the Internet Safer One Website at a Time

NSF Org:	IIP Division of Industrial Innovation and Partnerships


Initial Amendment Date:	February 4, 2010

Latest Amendment Date:	February 4, 2010

Award Number:	0956747

Award Instrument:	Standard Grant

Program Manager:	Errol B. Arkilic IIP Division of Industrial Innovation and Partnerships ENG Directorate for Engineering

Start Date:	February 15, 2010

Expires:	January 31, 2012 (Estimated)

Awarded Amount to Date:	$488242

Investigator(s):	Anirban Banerjee a.banerjee@stopthehacker.com (Principal Investigator)

Sponsor:	JAAL LLC 5034 TROJAN CT Riverside, CA 92507 951/328-9296

NSF Program(s):	SMALL BUSINESS PHASE II

Field Application(s):

Program Reference Code(s):	HPCC, 9139, 6850, 5373

Program Element Code(s):	5373

ABSTRACT
This Small Business Innovation Research Phase II project will develop a novel security capability for protecting websites against hackers by providing preventive and early diagnosis services. Compromising websites is an emerging and profitable business for hackers, with devastating effects since such attacks: (a) hurt the compromised site directly, e.g. stealing stored credit card information, (b) hurt the website visitors, who are subjected to viruses infections or identity theft via code injection, which turns a legitimate website into a distributor of malware, and (c) hurt the reputation of the code-injected website, which is inevitably blacklisted by search engines. The project will develop the technology to: (a) assess the vulnerability level of a website, (b) detect security breaches in the form of code injection, and (c) expedite the recovery of a compromised website. the proposed work focuses on three key goals: (a) massive scalability through the minimization of manual intervention, (b) robustness and manageability by a carefully designed software-hardware architecture, and (c) continuous process of self-improvement and assessment of performance. If successful, the impact of the proposed project has the potential to be immediate and direct: it promises to make website security more affordable, and not a luxury or an afterthought. Website security is an immediate and expensive problem: (a) it is estimate that most websites (over 60%) are vulnerable, (b) web-based malware spreading is taking the dimensions of a pandemic, (c) all of the reported 74M active websites are likely targets: from banks, to the local cookie store, and ultimately, (d) cyber-crime is a top national security threat according to the government. The proposed solution has the potential to make significant contributions in each of these four areas. Please report errors in award information by writing to: awardsearch@nsf.gov.

XSS.CX REPORT

Issue:	Cross-site scripting (reflected)
Severity:	High
Confidence:	Certain
Host:	http://www.stopthehacker.com
Path:	/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload xss'><script>alert(document.cookie)</script>fool was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as xss\'><script>alert(document.cookie)</script>fool in the application's response.

XSS in stopthehacker.com, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86, BHDB, Javascript Injection, Insecure Programming, Weak Configuration, Browser Hijacking, Phishing

2. Email addresses disclosed

2.1. http://www.stopthehacker.com/contact/corporate/

2.2. http://www.stopthehacker.com/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js

2.3. http://www.stopthehacker.com/wp-content/plugins/syntaxhighlighter/third-party-brushes/shBrushR.js

1. Cross-site scripting (reflected) next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stopthehacker.com
Path:	/contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ebf14'><script>alert(1)</script>f042985c8cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebf14\'><script>alert(1)</script>f042985c8cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request

GET /contact/?ebf14'><script>alert(1)</script>f042985c8cd=1 HTTP/1.1
Host: www.stopthehacker.com
Proxy-Connection: keep-alive
Referer: http://www.stopthehacker.com/services/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wpgb_visit_last-default=Thu%20Sep%2015%202011%2019%3A26%3A42%20GMT-0500%20%28Central%20Daylight%20Time%29; wpgb_visit_last-http://www_mywot.com=Thu%20Sep%2015%202011%2019%3A27%3A13%20GMT-0500%20%28Central%20Daylight%20Time%29; __utma=154329338.1422471030.1316132795.1316132795.1316132795.1; __utmb=154329338.4.10.1316132795; __utmc=154329338; __utmz=154329338.1316132795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wpgb_visit_last-http://www_stopthehacker.com=Thu%20Sep%2015%202011%2019%3A27%3A54%20GMT-0500%20%28Central%20Daylight%20Time%29

Response

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 19:28:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.12
X-Pingback: http://www.stopthehacker.com/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,Cookie
Set-Cookie: wpgb_visit_last_php-http://www_stopthehacker_com=1316114913; expires=Fri, 14-Sep-2012 19:28:33 GMT; path=/
Content-Length: 33680
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv
...[SNIP]...
<form class='formBuilderForm ' id='formBuilderstopthehackercom_Contact' action='/contact/?ebf14\'><script>alert(1)</script>f042985c8cd=1#formBuilderCSSIDstopthehackercom_Contact' method='post' onsubmit='return fb_disableForm(this);'>
...[SNIP]...

2. Email addresses disclosed previous
There are 3 instances of this issue:

/contact/corporate/
/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js
/wp-content/plugins/syntaxhighlighter/third-party-brushes/shBrushR.js

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

2.1. http://www.stopthehacker.com/contact/corporate/ next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stopthehacker.com
Path:	/contact/corporate/

Issue detail

The following email addresses were disclosed in the response:

info@stopthehacker.com
jobs@stopthehacker.com
pr@stopthehacker.com
sales@stopthehacker.com
support@stopthehacker.com
website@stopthehacker.com

Request

GET /contact/corporate/ HTTP/1.1
Host: www.stopthehacker.com
Proxy-Connection: keep-alive
Referer: http://www.stopthehacker.com/contact/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: wpgb_visit_last-default=Thu%20Sep%2015%202011%2019%3A26%3A42%20GMT-0500%20%28Central%20Daylight%20Time%29; wpgb_visit_last-http://www_mywot.com=Thu%20Sep%2015%202011%2019%3A27%3A13%20GMT-0500%20%28Central%20Daylight%20Time%29; __utma=154329338.1422471030.1316132795.1316132795.1316132795.1; __utmb=154329338.5.10.1316132795; __utmc=154329338; __utmz=154329338.1316132795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wpgb_visit_last-http://www_stopthehacker.com=Thu%20Sep%2015%202011%2019%3A30%3A22%20GMT-0500%20%28Central%20Daylight%20Time%29

Response

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 19:28:14 GMT
Server: Apache
Last-Modified: Fri, 09 Sep 2011 19:28:09 GMT
Accept-Ranges: bytes
Content-Length: 26921
Cache-Control: max-age=300, must-revalidate
Expires: Thu, 15 Sep 2011 19:33:14 GMT
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv
...[SNIP]...
<a href="mailto:support@stopthehacker.com">support@stopthehacker.com</a>
...[SNIP]...
<a href="mailto:sales@stopthehacker.com">sales@stopthehacker.com</a>
...[SNIP]...
<a href="mailto:website@stopthehacker.com">website@stopthehacker.com</a>
...[SNIP]...
<a href="mailto:jobs@stopthehacker.com">jobs@stopthehacker.com</a>
...[SNIP]...
<a href="mailto:info@stopthehacker.com">info@stopthehacker.com</a>
...[SNIP]...
<a href="mailto:pr@stopthehacker.com">pr@stopthehacker.com</a>
...[SNIP]...

2.2. http://www.stopthehacker.com/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stopthehacker.com
Path:	/wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js

Issue detail

The following email address was disclosed in the response:

jack@colorpowered.com

Request

GET /wp-content/plugins/jquery-lightbox-for-native-galleries/colorbox/jquery.colorbox-min.js?ver=1.3.14 HTTP/1.1
Host: www.stopthehacker.com
Proxy-Connection: keep-alive
Referer: http://www.stopthehacker.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 19:24:22 GMT
Server: Apache
Last-Modified: Thu, 30 Dec 2010 20:29:40 GMT
ETag: "6360795-23f9-498a68b8b5500"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 9209
Content-Type: application/javascript

// ColorBox v1.3.14 - a full featured, light-weight, customizable lightbox based on jQuery 1.3+
// Copyright (c) 2010 Jack Moore - jack@colorpowered.com
// Licensed under the MIT license: http://www.opensource.org/licenses/mit-license.php
(function(b,ib){var t="none",M="LoadedContent",c=false,v="resize.",o="y",q="auto",e=true,L="nofollow",m="x";func
...[SNIP]...

2.3. http://www.stopthehacker.com/wp-content/plugins/syntaxhighlighter/third-party-brushes/shBrushR.js previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.stopthehacker.com
Path:	/wp-content/plugins/syntaxhighlighter/third-party-brushes/shBrushR.js

Issue detail

The following email address was disclosed in the response:

xie@yihui.name

Request

GET /wp-content/plugins/syntaxhighlighter/third-party-brushes/shBrushR.js?ver=20100919 HTTP/1.1
Host: www.stopthehacker.com
Proxy-Connection: keep-alive
Referer: http://www.stopthehacker.com/services/blacklist-monitoring/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=154329338.1422471030.1316132795.1316132795.1316132795.1; __utmb=154329338.1.10.1316132795; __utmc=154329338; __utmz=154329338.1316132795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wpgb_visit_last-default=Thu%20Sep%2015%202011%2019%3A26%3A42%20GMT-0500%20%28Central%20Daylight%20Time%29

Response

HTTP/1.1 200 OK
Date: Thu, 15 Sep 2011 19:25:01 GMT
Server: Apache
Last-Modified: Thu, 21 Jul 2011 01:57:15 GMT
ETag: "636004d-40b-4a88aab0494c0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 1035
Content-Type: application/javascript

/**
* Author: Yihui Xie <xie@yihui.name>
* URL: http://yihui.name/en/2010/09/syntaxhighlighter-brush-for-the-r-language
* License: GPL-2 | GPL-3
*/
SyntaxHighlighter.brushes.R = function()
...[SNIP]...

Report generated by XSS.CX at Thu Sep 15 18:51:24 GMT-06:00 2011.